CVE-2024-12535 Information
Jan 08, 2025
cve
Description
The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the ‘phpinfo’ function in all versions up to and including 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site’s server. The plugin does not need to be activated for the vulnerability to be exploited.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Reference
https://plugins.trac.wordpress.org/browser/host-php-info/trunk/info.php#L2 https://www.wordfence.com/threat-intel/vulnerabilities/id/88d27385-9b92-419c-9e03-687d7192bbb5?source=cve
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
CHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
NONE
Base Severity
8.6
Share on: