CVE-2024-12535 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Host PHP Info plugin developed by eflyjason for WordPress. The vulnerability exists because the plugin fails to perform proper capability checks before including the phpinfo function output. Phpinfo reveals extensive details about the server's PHP configuration, environment variables, loaded modules, and other sensitive information. Since the plugin does not require activation for the vulnerability to be exploited, any WordPress site with the plugin installed is at risk. The vulnerability has a CVSS 3.1 base score of 8.6, indicating high severity, with an attack vector of network (remote), no privileges required, no user interaction, and a scope change due to confidentiality impact. The vulnerability allows unauthenticated remote attackers to retrieve sensitive configuration data, which can be leveraged for further attacks such as privilege escalation, code injection, or targeted exploitation of other vulnerabilities. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on December 11, 2024, and published on January 7, 2025.

The primary impact of CVE-2024-12535 is the unauthorized disclosure of sensitive server configuration information, which compromises confidentiality. Attackers can gain insights into PHP version details, loaded extensions, server environment variables, and other configuration parameters that can facilitate further exploitation, such as identifying vulnerable components or misconfigurations. Although the vulnerability does not directly affect integrity or availability, the information disclosure can lead to more severe attacks, including remote code execution or privilege escalation. Organizations running WordPress sites with the vulnerable plugin are at risk of data leakage, potentially exposing internal infrastructure details to attackers. This can be particularly damaging for high-profile websites, e-commerce platforms, or sites handling sensitive user data. The fact that exploitation requires no authentication and no user interaction increases the risk and potential attack surface significantly.

To mitigate CVE-2024-12535, organizations should immediately identify and remove or disable the eflyjason Host PHP Info plugin from their WordPress installations if it is not essential. If the plugin is required, monitor the vendor's official channels for patches or updates addressing the missing authorization check and apply them promptly once available. As a temporary measure, restrict access to the phpinfo endpoint or the plugin's files via web server configuration (e.g., using .htaccess rules or firewall rules) to allow only trusted IP addresses or authenticated users. Additionally, implement web application firewalls (WAFs) with custom rules to detect and block requests attempting to access the phpinfo functionality. Regularly audit WordPress plugins for unnecessary or outdated components and enforce the principle of least privilege for plugin capabilities. Finally, maintain comprehensive logging and monitoring to detect any suspicious access patterns related to this vulnerability.