CVE-2024-12329 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the Essential Real Estate plugin for WordPress, developed by g5theme. This plugin, widely used for managing real estate listings and related transactions, contains a missing capability check on several pages and post types in all versions up to and including 5.1.6. Specifically, authenticated users with Contributor-level access or higher can bypass intended access restrictions to view sensitive information such as invoices and transaction logs. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N), with low attack complexity (AC:L). The attacker must have some level of authenticated access (PR:L), but no further privileges are needed. The scope is unchanged (S:U), and the impact is limited to confidentiality (C:L), with no impact on integrity or availability. This flaw could allow insider threats or compromised accounts with Contributor privileges to harvest sensitive financial data, potentially leading to privacy violations or further targeted attacks. No patches or exploit code are currently publicly available, but the vulnerability is officially published and tracked. The plugin’s lack of proper authorization checks on sensitive data endpoints is the root cause, highlighting the need for stricter role-based access control enforcement in WordPress plugins handling sensitive information.

The primary impact of CVE-2024-12329 is unauthorized disclosure of sensitive financial information such as invoices and transaction logs to users who should not have access. This exposure can lead to privacy breaches, loss of customer trust, and potential regulatory compliance issues, especially in jurisdictions with strict data protection laws. Organizations using the Essential Real Estate plugin on WordPress sites may face insider threats or exploitation by compromised Contributor-level accounts. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach could facilitate further attacks, such as social engineering or fraud. The medium CVSS score reflects the moderate risk due to required authentication but low complexity and network accessibility. Real estate businesses, agencies, and platforms relying on this plugin could suffer reputational damage and financial losses if sensitive transactional data is leaked. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers often target WordPress plugins due to their widespread use.

1. Immediately audit user roles and permissions on WordPress sites using the Essential Real Estate plugin, ensuring that only trusted users have Contributor-level or higher access. 2. Implement strict role-based access controls and consider restricting Contributor roles from accessing sensitive pages or post types until a patch is available. 3. Monitor access logs for unusual activity related to invoice and transaction data pages to detect potential exploitation attempts. 4. If possible, disable or restrict access to the affected plugin features temporarily in high-risk environments. 5. Stay informed on updates from g5theme and apply security patches promptly once released. 6. Consider deploying Web Application Firewalls (WAFs) with custom rules to block unauthorized access attempts to sensitive endpoints. 7. Educate site administrators and users about the risk of privilege escalation and the importance of strong authentication practices. 8. Review and harden WordPress security configurations, including limiting plugin installations and enforcing least privilege principles. 9. For critical environments, consider isolating sensitive data storage or using additional encryption to mitigate exposure risks. 10. Conduct regular security assessments and penetration testing focused on plugin vulnerabilities and access control weaknesses.