The vulnerability identified as CVE-2024-12545 affects the WordPress plugin 'Scratch & Win – Giveaways and Contests' developed by akashmalik, specifically all versions up to and including 2.7.1. This plugin is designed to boost subscribers, traffic, repeat visits, referrals, and sales through interactive giveaways and contests. The root cause of the vulnerability is the absence of nonce validation in the reset_installation() function, which is intended to reset the plugin’s installation state. Nonce validation is a security mechanism in WordPress that helps prevent CSRF attacks by ensuring that requests are intentional and originate from legitimate users. Due to this missing validation, an attacker can craft a malicious request that, when executed by an authenticated site administrator (e.g., by clicking a link), triggers the reset_installation() function without proper authorization. This can lead to the plugin’s installation being reset unexpectedly, potentially disrupting the functionality of giveaways and contests, causing loss of configuration or data related to marketing campaigns. The vulnerability requires no authentication on the attacker’s part but does require user interaction from an administrator, making it a classic CSRF scenario. The CVSS v3.1 base score is 5.4, reflecting a medium severity level, with attack vector network (remote), low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved on December 11, 2024, and published on January 4, 2025. No official patches or updates have been linked yet, so mitigation may require manual nonce validation or disabling the plugin until a fix is available.

The primary impact of this vulnerability is the potential unauthorized reset of the plugin’s installation, which can disrupt marketing and engagement activities relying on the 'Scratch & Win' plugin. This can lead to loss of configuration, data, and interruption of giveaways or contests, negatively affecting user experience and business operations tied to subscriber growth and sales. While the vulnerability does not directly expose sensitive data or allow privilege escalation, the integrity and availability of the plugin’s functionality are compromised. Organizations relying heavily on this plugin for marketing campaigns may face operational setbacks and reputational damage if attackers exploit this vulnerability. Since exploitation requires tricking an administrator, the risk is higher in environments with less security awareness or where administrators frequently interact with untrusted content. The vulnerability’s network accessibility and lack of required privileges increase the attack surface, making it easier for remote attackers to attempt exploitation. However, the need for user interaction limits automated exploitation. Overall, the impact is moderate but can be significant for businesses dependent on this plugin’s functionality.

1. Immediate mitigation involves disabling or uninstalling the vulnerable plugin until an official patch is released. 2. Monitor for updates from the plugin developer and apply patches promptly once available. 3. Implement manual nonce validation for the reset_installation() function if feasible, ensuring that all state-changing requests require a valid nonce token. 4. Educate site administrators about the risks of clicking on unsolicited links or performing sensitive actions without verifying the source. 5. Employ web application firewalls (WAFs) that can detect and block CSRF attack patterns or suspicious POST requests targeting the plugin’s endpoints. 6. Restrict administrative access to trusted IP addresses or networks where possible to reduce exposure. 7. Regularly audit WordPress plugins for security compliance and remove unused or outdated plugins. 8. Use security plugins that can detect and alert on unusual administrative actions or plugin resets. These steps collectively reduce the risk of exploitation and limit the potential damage from this vulnerability.