The vulnerability identified as CVE-2024-12861 affects the W2S – Migrate WooCommerce to Shopify plugin for WordPress, specifically versions up to and including 1.2.1. The root cause is an External Control of File Name or Path (CWE-73) flaw that allows an authenticated attacker with Subscriber-level privileges or higher to perform an Arbitrary File Read attack via the 'viw2s_view_log' AJAX action. This AJAX endpoint fails to properly validate or sanitize user input controlling the file path, enabling attackers to specify arbitrary file paths on the server. As a result, attackers can read sensitive files such as configuration files, database credentials, or other confidential data stored on the web server. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 6.5, reflecting medium severity, with a vector indicating network attack vector, low attack complexity, privileges required at a low level, no user interaction, unchanged scope, and high confidentiality impact but no integrity or availability impact. No patches or official fixes are currently linked, and no known exploits are reported in the wild. This vulnerability poses a significant risk to WordPress sites using this plugin, especially those handling sensitive e-commerce data or customer information. Attackers could leverage the exposed data for further attacks such as credential theft, privilege escalation, or lateral movement within the network.

The primary impact of CVE-2024-12861 is the unauthorized disclosure of sensitive information stored on the affected server. This can include database credentials, API keys, configuration files, or other sensitive data that could facilitate further attacks such as privilege escalation, data exfiltration, or compromise of other systems. For organizations running e-commerce platforms integrating WooCommerce and Shopify via this plugin, the exposure of such data can lead to customer data breaches, financial loss, reputational damage, and regulatory penalties. Since the vulnerability requires only Subscriber-level access, which is a low privilege role commonly assigned to registered users or customers, the attack surface is broad. The vulnerability does not impact system integrity or availability directly but significantly compromises confidentiality. The ease of exploitation and the potential sensitivity of exposed data make this a notable threat for organizations relying on this plugin for migration or integration tasks between WooCommerce and Shopify.

1. Immediately restrict access to the 'viw2s_view_log' AJAX action by limiting it to trusted administrator roles only, preventing Subscriber-level users from invoking it. 2. Implement web application firewall (WAF) rules to detect and block suspicious requests attempting to access arbitrary file paths via this AJAX endpoint. 3. Monitor server and application logs for unusual access patterns or repeated attempts to read files through this endpoint. 4. Disable or uninstall the W2S – Migrate WooCommerce to Shopify plugin if it is not actively used or essential to operations. 5. Follow up with the vendor (villatheme) for official patches or updates addressing this vulnerability and apply them promptly once available. 6. Conduct a thorough audit of server files and credentials to identify any potential data exposure or compromise resulting from exploitation. 7. Educate site administrators and users about the risks of low-privilege account misuse and enforce strong authentication policies to reduce the risk of account compromise. 8. Consider implementing file system permissions and isolation to limit the plugin's ability to access sensitive files outside its intended scope.