CVE-2024-12859 is a Local File Inclusion vulnerability classified under CWE-98, affecting the BoomBox Theme Extensions plugin for WordPress. The flaw exists in the handling of the 'boombox_listing' shortcode's 'type' attribute, which does not properly validate or sanitize input used in PHP include or require statements. Authenticated attackers with contributor-level or higher permissions can manipulate this attribute to include arbitrary files from the server filesystem. If an attacker can upload PHP files (e.g., via other plugin vulnerabilities or WordPress media upload if improperly configured), they can execute arbitrary PHP code, leading to remote code execution. This vulnerability allows bypassing of access controls and can expose sensitive information or compromise the entire web server. The vulnerability affects all versions up to and including 1.8.0 of the plugin. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, required privileges at the contributor level, no user interaction, and high impact on confidentiality, integrity, and availability. No official patches are currently linked, so mitigation relies on access control tightening and disabling vulnerable features until updates are available.

The impact of CVE-2024-12859 is significant for organizations using the BoomBox Theme Extensions plugin on WordPress sites. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code on the web server. This can result in full system compromise, data theft, defacement, or pivoting to internal networks. Confidentiality is at risk as attackers can read sensitive files, including configuration files and credentials. Integrity is compromised by the ability to modify files or inject malicious code. Availability can be affected if attackers disrupt services or deploy ransomware. Since the vulnerability requires contributor-level access, attackers must first compromise or obtain such credentials, which is feasible in many WordPress environments due to weak credential management or phishing. The widespread use of WordPress and the popularity of the BoomBox theme increase the potential attack surface globally.

1. Immediately restrict contributor-level permissions and audit user roles to ensure only trusted users have contributor or higher access. 2. Disable or remove the BoomBox Theme Extensions plugin if it is not essential. 3. Monitor and restrict file upload capabilities, ensuring that executable PHP files cannot be uploaded or executed. 4. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'boombox_listing' shortcode 'type' parameter. 5. Apply strict input validation and sanitization for any shortcode attributes if custom modifications are possible. 6. Regularly monitor logs for suspicious include or require calls and unexpected file access patterns. 7. Stay alert for official patches or updates from PX-lab and apply them promptly once available. 8. Employ principle of least privilege for all WordPress users and consider multi-factor authentication to reduce risk of credential compromise.