CVE-2024-12594 is a critical privilege escalation vulnerability identified in the WordPress plugin Custom Login Page Styler developed by zia-imtiaz. This plugin provides features such as changing the wp-admin login URL, customizing the login page, and generating temporary admin login access URLs. The vulnerability stems from a missing capability check (CWE-862) on the AJAX action 'lps_generate_temp_access_url'. This action is intended to generate temporary access URLs for administrative or privileged users. However, due to the lack of proper authorization verification, any authenticated user with Subscriber-level privileges or higher can invoke this AJAX endpoint to generate temporary login URLs for other users, effectively allowing them to impersonate those users. This bypasses intended access controls and leads to privilege escalation. The vulnerability affects all versions of the plugin up to and including version 7.1.1. The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, privileges required (low-level authenticated user), no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk for WordPress sites using this plugin. Attackers exploiting this flaw can gain unauthorized access to accounts, potentially including administrative users, leading to full site compromise, data theft, or site defacement.

The impact of CVE-2024-12594 is substantial for organizations running WordPress sites with the vulnerable Custom Login Page Styler plugin. Attackers with minimal privileges (Subscriber-level) can escalate their privileges to impersonate other users, including administrators, resulting in full site takeover. This compromises the confidentiality of sensitive data, integrity of site content, and availability of services. Malicious actors could inject malicious code, steal user data, modify site configurations, or lock out legitimate administrators. For e-commerce, membership, or content management sites, this could lead to financial losses, reputational damage, and regulatory compliance violations. The vulnerability's network accessibility and lack of user interaction requirements increase the risk of automated exploitation and widespread attacks. Organizations without timely patching or mitigation are at risk of persistent unauthorized access and potential lateral movement within their WordPress environments.

To mitigate CVE-2024-12594, organizations should immediately update the Custom Login Page Styler plugin to a patched version once available from the vendor. Until a patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Implementing Web Application Firewall (WAF) rules to block or monitor requests to the 'lps_generate_temp_access_url' AJAX action can help detect or prevent exploitation attempts. Restricting plugin usage to trusted administrators and minimizing the number of users with Subscriber or higher privileges reduces risk. Regularly auditing user roles and permissions can prevent unauthorized privilege escalation. Monitoring WordPress logs for unusual login URL generation or access patterns is also recommended. Additionally, enforcing multi-factor authentication (MFA) for all privileged accounts can limit the impact of compromised credentials. Finally, organizations should maintain up-to-date backups to recover quickly from potential compromises.