CVE-2024-12558 is a vulnerability identified in the WP BASE Booking of Appointments, Services and Events plugin for WordPress, affecting all versions up to and including 4.9.2. The root cause is a missing authorization check (CWE-862) on the export_db function, which is responsible for exporting database contents. This omission allows any authenticated user with at least Subscriber-level privileges to invoke this function and export sensitive data from the plugin's database tables. Critically, this data can include hashed administrator passwords, which could be leveraged in offline attacks to escalate privileges or compromise the site further. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 6.5, reflecting a medium severity with high confidentiality impact but no impact on integrity or availability. The attack complexity is low, and privileges required are low (authenticated user), making exploitation feasible in environments where user registration or lower privilege accounts exist. No patches or official fixes are currently linked, increasing the urgency for administrators to implement interim controls. The vulnerability is particularly concerning because WordPress sites often serve as critical business infrastructure, and plugins like WP BASE Booking are commonly used for managing appointments and events, which may contain sensitive customer and organizational data.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, including hashed administrator passwords, which can lead to further compromise of the WordPress site and potentially the underlying server. Exposure of hashed passwords increases the risk of privilege escalation attacks if attackers can crack these hashes offline. Organizations relying on this plugin for booking and event management may suffer data breaches affecting customer privacy and trust. The confidentiality breach could also lead to regulatory compliance issues, especially in jurisdictions with strict data protection laws such as GDPR. Although the vulnerability does not directly affect data integrity or availability, the resulting compromise from leaked credentials could lead to defacement, data manipulation, or denial of service. The ease of exploitation by low-privileged users means that any registered user, including those created by attackers via registration forms or social engineering, could leverage this flaw. This broadens the attack surface significantly. The lack of known exploits in the wild currently limits immediate widespread impact but does not preclude targeted attacks against vulnerable sites.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict user registrations or limit Subscriber-level accounts to trusted users only, reducing the risk of attacker-controlled accounts. 2) Employ WordPress security plugins or custom code to add capability checks on the export_db function or block access to it for low-privileged roles. 3) Monitor server and application logs for unusual export_db function calls or unexpected database export activities. 4) Enforce strong password policies and consider rehashing administrator passwords with stronger algorithms to mitigate risks if hashes are leaked. 5) Regularly back up WordPress sites and databases to enable recovery in case of compromise. 6) Stay alert for updates from the plugin vendor or WordPress security advisories and apply patches promptly once available. 7) Consider isolating or replacing the vulnerable plugin with alternative booking solutions that have verified security postures. 8) Harden WordPress installations by disabling unnecessary plugins and enforcing the principle of least privilege for all user roles.