CVE-2024-12571 is a critical Local File Inclusion vulnerability identified in version 3.98.9 of the Store Locator for WordPress with Google Maps – LotsOfLocales plugin. The vulnerability stems from improper validation and control of the 'sl_engine' parameter, which is used in PHP include or require statements. An attacker can manipulate this parameter to include arbitrary files from the server, leading to execution of malicious PHP code. This flaw allows unauthenticated remote attackers to bypass access controls, execute arbitrary code, and potentially gain full control over the affected web server. The vulnerability is classified under CWE-98, which concerns improper control of filename for include/require statements in PHP programs. The CVSS v3.1 base score is 9.8, reflecting the ease of exploitation over the network without authentication or user interaction, and the severe impact on confidentiality, integrity, and availability of the system. Although no public exploits have been reported yet, the nature of the vulnerability makes it highly exploitable and dangerous. The plugin is widely used in WordPress sites that provide store location services with Google Maps integration, making the attack surface significant. The vulnerability can be exploited even if the attacker only uploads files typically considered safe, such as images, by leveraging the inclusion flaw to execute embedded PHP code. This elevates the risk of data breaches, website defacement, or full server compromise.

The impact of CVE-2024-12571 is severe and multifaceted. Successful exploitation can lead to remote code execution on the web server hosting the vulnerable WordPress plugin, allowing attackers to execute arbitrary PHP code. This can result in complete compromise of the affected system, including unauthorized access to sensitive data, modification or deletion of files, and disruption of service. The vulnerability can also be used to bypass existing access controls, potentially exposing administrative interfaces or confidential information. For organizations, this could mean data breaches, defacement of websites, loss of customer trust, and regulatory penalties. Given the plugin's integration with Google Maps and its use in e-commerce or business directories, attackers could manipulate location data or disrupt business operations. The ease of exploitation without authentication or user interaction increases the likelihood of widespread attacks. Additionally, compromised servers could be used as launch points for further attacks within an organization's network or for hosting malicious content, amplifying the overall risk.

To mitigate CVE-2024-12571, organizations should immediately update the Store Locator for WordPress with Google Maps – LotsOfLocales plugin to a patched version once available. In the absence of an official patch, administrators should consider disabling or removing the plugin to eliminate the attack vector. Implement strict input validation and sanitization on the 'sl_engine' parameter to prevent inclusion of arbitrary files. Employ web application firewalls (WAFs) with rules specifically designed to detect and block attempts to exploit Local File Inclusion vulnerabilities targeting this plugin. Restrict file upload types and enforce server-side checks to prevent uploading of files containing executable PHP code disguised as images or other safe formats. Harden PHP configurations by disabling functions like include(), require(), and allow_url_include where not necessary. Monitor web server logs for suspicious requests involving the 'sl_engine' parameter and unusual file inclusion attempts. Conduct regular security audits and vulnerability scans focused on WordPress plugins. Finally, implement least privilege principles for web server file permissions to limit the impact of any successful exploitation.