CVE-2024-12571 is a Local File Inclusion vulnerability categorized under CWE-98 affecting the Store Locator for WordPress with Google Maps – LotsOfLocales plugin, specifically version 3.98.9. The vulnerability arises from improper control of the filename used in include/require statements within the PHP code, specifically via the 'sl_engine' parameter. An attacker can manipulate this parameter to include arbitrary files from the server, which can contain malicious PHP code. Because the plugin does not authenticate or sanitize this input properly, attackers can execute arbitrary PHP code remotely without any authentication or user interaction. This can lead to full system compromise, including bypassing access controls, data exfiltration, and remote code execution. The vulnerability has a CVSS 3.1 base score of 9.8, reflecting its critical impact on confidentiality, integrity, and availability. No patches or official fixes are currently linked, and no exploits are publicly known, but the vulnerability's nature makes it highly exploitable. The plugin’s integration with WordPress, a widely used CMS, increases the potential attack surface significantly.

The impact of CVE-2024-12571 is severe for organizations using the affected plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in complete system compromise, including unauthorized access to sensitive data, modification or deletion of files, and disruption of service availability. Attackers could also use this foothold to pivot within the network, escalate privileges, or deploy malware such as ransomware. Given WordPress’s popularity, many websites, including e-commerce, corporate, and governmental sites, could be affected, potentially leading to data breaches, reputational damage, and financial losses. The lack of authentication and user interaction requirements makes this vulnerability particularly dangerous and easy to exploit at scale.

To mitigate CVE-2024-12571, organizations should immediately upgrade the Store Locator for WordPress with Google Maps – LotsOfLocales plugin to a patched version once available. Until a patch is released, implement strict input validation and sanitization on the 'sl_engine' parameter to prevent arbitrary file inclusion. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities targeting this parameter. Restrict file permissions on the server to limit the web server’s ability to read or execute unauthorized files. Disable PHP execution in directories used for file uploads or temporary storage. Regularly audit and monitor web server logs for suspicious requests targeting the vulnerable parameter. Additionally, consider isolating the WordPress environment using containerization or sandboxing to limit the blast radius of a potential compromise. Finally, maintain regular backups and have an incident response plan ready in case of exploitation.