CVE-2024-12636 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the WP Legal Pages WordPress plugin, specifically affecting the Privacy Policy Generator and Terms & Conditions Generator functionalities. The vulnerability exists in all versions up to and including 3.2.6 due to missing or incorrect nonce validation in the 'create_popup_delete_process' function. Nonces in WordPress are security tokens used to verify that requests originate from legitimate users and prevent CSRF attacks. The absence or improper implementation of nonce checks allows an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., by clicking a specially crafted link), can delete popups without authorization. This attack vector requires user interaction but no prior authentication by the attacker. The vulnerability impacts the integrity of the affected site by enabling unauthorized deletion of popup content, which could disrupt site functionality or user experience. The CVSS v3.1 base score is 4.3, reflecting a medium severity level, with an attack vector of network, low attack complexity, no privileges required, and user interaction needed. No known public exploits have been reported to date. The vulnerability was published on December 25, 2024, and assigned by Wordfence. No patches or updates are currently linked, so mitigation relies on administrative controls and monitoring until an official fix is released.

The primary impact of this vulnerability is on the integrity of affected WordPress sites using the WP Legal Pages plugin. An attacker can cause unauthorized deletion of popup content, potentially disrupting legal notices or user interface elements critical for compliance and user trust. While this does not directly compromise confidentiality or availability, the loss or alteration of legal policy popups could lead to regulatory compliance issues or user confusion. Organizations relying on this plugin for legal documentation display may face reputational damage or legal risks if popups are deleted maliciously. Since exploitation requires an administrator to interact with a malicious link, social engineering is a key factor, increasing risk in environments with less security awareness. The vulnerability affects all sites running vulnerable versions of the plugin, which may be widespread given WordPress's global popularity. However, the lack of known exploits in the wild and the medium CVSS score suggest the immediate risk is moderate but should not be ignored.

1. Monitor for official patches or updates from the WP Legal Pages plugin vendor and apply them promptly once available. 2. Until patches are released, restrict administrative access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Educate site administrators about the risks of clicking on unsolicited or suspicious links, especially those that could trigger administrative actions. 4. Implement Web Application Firewall (WAF) rules to detect and block suspicious CSRF attack patterns targeting the plugin's endpoints. 5. Consider disabling or limiting the use of popup deletion features if feasible until the vulnerability is resolved. 6. Regularly audit plugin usage and logs to detect unusual deletion activities or unauthorized changes. 7. Employ security plugins that add additional CSRF protections or nonce validation layers to WordPress administrative actions. 8. Backup site data frequently to enable quick restoration if unauthorized deletions occur.