The Garden Gnome Package plugin for WordPress suffers from a critical vulnerability identified as CVE-2024-12854, categorized under CWE-434, which involves unrestricted file upload due to inadequate file type validation. Specifically, the plugin automatically extracts uploaded 'ggpkg' files without verifying their contents or restricting file types, allowing authenticated users with Author-level privileges or higher to upload arbitrary files to the server. This can be exploited to upload malicious scripts or executables, potentially leading to remote code execution (RCE). The vulnerability affects all versions up to and including 2.3.0. The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, required privileges at the Author level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to the common use of WordPress and the plugin in question. Attackers gaining Author-level access—which can be obtained through various means such as credential compromise or privilege escalation—can leverage this flaw to execute arbitrary code, potentially taking full control of the affected web server and compromising the entire website and its data.

This vulnerability can have severe consequences for organizations worldwide running WordPress sites with the Garden Gnome Package plugin. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary commands on the web server, potentially leading to full site compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. The confidentiality, integrity, and availability of the affected systems are all at high risk. Given WordPress's widespread use across various industries, including e-commerce, media, and government websites, the impact can range from loss of customer trust and revenue to regulatory penalties due to data breaches. The requirement for Author-level access limits the attack surface but does not eliminate risk, as many sites have multiple users with such privileges or may be vulnerable to credential theft. The absence of public exploits currently reduces immediate threat but does not preclude targeted attacks or future exploit development.

Organizations should immediately verify if the Garden Gnome Package plugin is installed and identify the version in use. Since no patch links are provided, users should monitor the vendor's official channels for updates or patches addressing CVE-2024-12854. In the interim, restrict Author-level access to trusted users only and review user roles to minimize privilege exposure. Implement web application firewalls (WAFs) with rules to detect and block suspicious file upload patterns, especially those involving 'ggpkg' files. Disable or restrict the plugin's file upload and extraction functionality if possible until a patch is available. Conduct regular audits of uploaded files and server directories for unauthorized or suspicious content. Employ strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised credentials leading to exploitation. Additionally, monitor logs for unusual activity related to file uploads or execution attempts. Finally, consider isolating WordPress instances or running them with least privilege to limit potential damage from exploitation.