CVE-2024-12635 identifies a time-based SQL Injection vulnerability in the WP Docs plugin for WordPress, specifically via the 'dir_id' parameter. The root cause is insufficient escaping and lack of proper query preparation when handling user-supplied input, allowing attackers to inject additional SQL commands into existing queries. This vulnerability affects all versions up to and including 2.2.0, with a partial fix introduced in 2.2.0. Exploitation requires an authenticated user with at least Subscriber-level privileges, which is a relatively low barrier given WordPress's common user roles. The attack vector is network-based with no user interaction needed beyond authentication. Successful exploitation can lead to unauthorized disclosure of sensitive database information, impacting confidentiality but not integrity or availability. The CVSS 3.1 base score is 6.5 (medium), reflecting the ease of exploitation and potential data exposure. No public exploits have been reported yet, but the vulnerability poses a significant risk to websites using this plugin without updated patches or mitigations.

The primary impact of this vulnerability is the potential unauthorized disclosure of sensitive information stored in the WordPress database, including user data, configuration details, or other confidential content managed by the WP Docs plugin. Since the attack requires only Subscriber-level access, an attacker could leverage compromised or created low-privilege accounts to escalate data access without needing administrator credentials. This can lead to privacy violations, data breaches, and potential compliance issues for organizations handling personal or sensitive data. Although the vulnerability does not affect data integrity or availability directly, the exposure of confidential information can undermine trust and lead to secondary attacks such as phishing or further exploitation. Organizations with public-facing WordPress sites using WP Docs are at risk, especially if they have not applied the partial patch or other mitigations.

1. Immediately update the WP Docs plugin to the latest version beyond 2.2.0 where the partial patch is applied; monitor for future updates that fully resolve the issue. 2. Restrict Subscriber-level user creation and monitor for suspicious account activity to reduce the risk of authenticated exploitation. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'dir_id' parameter. 4. Conduct regular security audits and database access monitoring to detect unusual query patterns or data exfiltration attempts. 5. If updating is not immediately possible, consider disabling or restricting the WP Docs plugin functionality that processes the 'dir_id' parameter. 6. Employ principle of least privilege for WordPress user roles and ensure strong authentication controls to limit attacker foothold. 7. Review and sanitize all user inputs in custom code or plugins to prevent similar injection flaws. 8. Maintain regular backups and incident response plans to quickly recover from potential breaches.