The Moving Users plugin for WordPress, developed by katsushi-kawamori, suffers from a sensitive information exposure vulnerability identified as CVE-2024-12637. This vulnerability affects all versions up to and including 1.05. The issue arises from the plugin's export functionality, which generates JSON files containing user data such as email addresses, hashed passwords, and IP addresses. These JSON files are stored in predictable directory paths with guessable filenames, allowing unauthenticated attackers to locate and download them without any authentication or user interaction. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning the attack can be performed remotely over the network with low attack complexity, no privileges, and no user interaction, impacting confidentiality only. No known exploits have been reported in the wild as of the publication date. The lack of authentication and the predictability of file storage paths make this vulnerability particularly concerning for sites with sensitive user data. Since the plugin is widely used in WordPress environments, the exposure risk is significant for affected installations. No official patches or updates are currently linked, so mitigation relies on access controls and monitoring until a fix is released.

The primary impact of CVE-2024-12637 is the unauthorized disclosure of sensitive user information, including email addresses, hashed passwords, and IP addresses. This exposure can facilitate further attacks such as phishing, credential stuffing, or targeted intrusion attempts. Although the passwords are hashed, attackers may attempt offline cracking, especially if weak hashing algorithms or poor password complexity are involved. The vulnerability does not affect data integrity or availability but compromises confidentiality, which can erode user trust and lead to regulatory compliance issues, especially under data protection laws like GDPR. Organizations using the Moving Users plugin risk data breaches that could result in reputational damage, legal penalties, and increased incident response costs. Since exploitation requires no authentication and no user interaction, the attack surface is broad, potentially affecting any publicly accessible WordPress site using the vulnerable plugin. The absence of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation and predictable file locations make it a likely target for opportunistic attackers.

1. Immediately restrict access to the export directory and JSON files by implementing strict web server access controls (e.g., .htaccess rules or equivalent) to prevent unauthorized HTTP requests. 2. Disable or limit the export functionality of the Moving Users plugin until a secure patch or update is available. 3. Monitor web server logs for unusual or repeated access attempts to the export file paths, indicating potential reconnaissance or exploitation attempts. 4. Encourage users to update to a patched version once released by the plugin developer or consider alternative plugins with better security practices. 5. Implement web application firewall (WAF) rules to block requests targeting predictable export file paths or suspicious patterns related to this vulnerability. 6. Educate site administrators about the risks of predictable file storage and the importance of secure file handling. 7. Conduct regular security audits of WordPress plugins and configurations to identify and remediate similar exposure risks proactively. 8. If sensitive data exposure is suspected, enforce password resets and notify affected users as part of incident response procedures.