CVE-2024-12330 is a vulnerability categorized under CWE-530 (Exposure of Backup File to an Unauthorized Control Sphere) found in the WP Database Backup – Unlimited Database & Files Backup plugin by Backup for WP. This plugin is widely used to create backups of WordPress databases and files. The vulnerability arises because backup files generated by the plugin are publicly accessible without authentication or authorization controls. As a result, attackers can directly download these backup files from the web server, gaining access to sensitive information stored within the WordPress database, such as user credentials, personal data, and site configuration details. The vulnerability affects all versions up to and including 7.3, with no patch currently available. The CVSS 3.1 base score is 7.5, indicating high severity due to the ease of remote exploitation (network vector), no required privileges, and no user interaction needed. The impact is limited to confidentiality, with no direct integrity or availability consequences. The exposure of backup files is a critical security misconfiguration that can lead to data breaches and further compromise of the affected WordPress sites. No known exploits have been reported in the wild yet, but the vulnerability's nature makes it a prime target for attackers seeking sensitive data from vulnerable WordPress installations.

The primary impact of CVE-2024-12330 is the unauthorized disclosure of sensitive data stored in WordPress databases. This can include user credentials, personal identifiable information (PII), payment data, and other confidential content managed by the website. For organizations, this exposure can lead to data breaches, loss of customer trust, regulatory penalties (e.g., GDPR, CCPA), and potential downstream attacks such as account takeover or phishing. Since backup files often contain comprehensive snapshots of the entire database, the volume and sensitivity of exposed data can be substantial. The vulnerability does not directly affect system integrity or availability but significantly compromises confidentiality. Organizations relying on this plugin for backup without proper access restrictions are at high risk. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate scanning and data extraction at scale, potentially impacting many sites globally. This threat is particularly critical for e-commerce, healthcare, financial services, and other sectors handling sensitive user data.

To mitigate CVE-2024-12330, organizations should immediately audit their WordPress installations for the presence of the vulnerable WP Database Backup plugin and verify if backup files are publicly accessible. Specific mitigation steps include: 1) Restricting access to backup directories using web server configuration (e.g., .htaccess rules for Apache or location blocks for Nginx) to deny public HTTP access; 2) Moving backup files outside the web root directory to prevent direct URL access; 3) Implementing authentication and authorization controls for accessing backup files; 4) Regularly monitoring web server logs for unauthorized access attempts to backup files; 5) Considering alternative backup solutions that enforce secure storage and access controls; 6) Keeping WordPress core, plugins, and themes updated and applying patches promptly once available for this vulnerability; 7) Educating site administrators about secure backup handling and the risks of exposing backup files publicly. Since no official patch is currently available, these configuration and operational controls are critical to prevent exploitation.