CVE-2024-12849 is a path traversal vulnerability categorized under CWE-22 found in the Error Log Viewer By WP Guru plugin for WordPress. This vulnerability exists in all plugin versions up to and including 1.0.1.3. The flaw resides in the wp_ajax_nopriv_elvwp_log_download AJAX action, which does not properly restrict the pathname input, allowing attackers to traverse directories and read arbitrary files on the server. Because this AJAX action is accessible without authentication (wp_ajax_nopriv), any unauthenticated user can exploit this remotely. The vulnerability enables attackers to access sensitive files such as wp-config.php, server logs, or other critical data that may contain credentials or private information. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, no required privileges, no user interaction, and a high impact on confidentiality. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers seeking to gather intelligence or prepare for further attacks. The plugin’s widespread use in WordPress sites increases the potential attack surface. The vulnerability does not affect integrity or availability but poses a serious confidentiality risk. The lack of an official patch at the time of reporting necessitates immediate mitigation measures by administrators.

The primary impact of CVE-2024-12849 is the unauthorized disclosure of sensitive information stored on the web server. Attackers can read configuration files, database credentials, authentication tokens, or other private data, which can facilitate further compromise such as privilege escalation, data exfiltration, or lateral movement within the network. For organizations, this can lead to data breaches, regulatory non-compliance, reputational damage, and financial loss. Since the vulnerability is exploitable remotely without authentication or user interaction, it significantly increases the risk of automated scanning and exploitation by threat actors. Websites running the vulnerable plugin, especially those hosting sensitive or customer data, are at heightened risk. The exposure of error logs or configuration files can also reveal internal system details that aid attackers in crafting more sophisticated attacks. Although availability and integrity are not directly impacted, the confidentiality breach alone is critical for many organizations, particularly those in regulated industries or handling sensitive user information.

To mitigate CVE-2024-12849, organizations should first check for updates or patches from the plugin vendor and apply them immediately once available. In the absence of an official patch, administrators should disable or restrict access to the wp_ajax_nopriv_elvwp_log_download AJAX action, for example by removing or restricting the AJAX handler in the plugin code or via web application firewall (WAF) rules. Implement strict file system permissions to limit the web server’s ability to read sensitive files outside the intended directories. Employ input validation and sanitization to prevent path traversal attempts if modifying the plugin code is feasible. Monitor web server and application logs for unusual requests targeting the vulnerable AJAX endpoint. Use security plugins or WAFs to detect and block suspicious path traversal patterns. Consider isolating or sandboxing the WordPress environment to limit the impact of potential breaches. Finally, conduct regular security audits and vulnerability scans to identify and remediate similar issues proactively.