CVE-2024-12849 Scanner

The Error Log Viewer By WP Guru plugin is a popular tool for WordPress administrators to monitor and manage error logs on their websites. It is designed to provide a user-friendly interface for viewing server errors, assisting developers and administrators in troubleshooting and maintaining their WordPress installations.

The vulnerability identified in this plugin is an Arbitrary File Read, which allows unauthenticated attackers to access files on the server. Exploiting this vulnerability can expose sensitive information stored in critical system files or application configurations.

The technical details of this vulnerability involve the "wp_ajax_nopriv_elvwp_log_download" AJAX action, which lacks proper authorization checks. Attackers can leverage this endpoint with a crafted POST request specifying arbitrary file paths, such as "/etc/passwd," to read file contents.

If exploited, this vulnerability can lead to significant data breaches, exposing sensitive credentials or configuration details. Malicious actors could use this information to further compromise the system or other associated resources.

REFERENCES

• https://github.com/RandomRobbieBF/CVE-2024-12849
• https://www.wordfence.com/threat-intel/vulnerabilities/id/57888e36-3a61-4452-b4ea-9db9e422dc2d?source=cve
• https://nvd.nist.gov/vuln/detail/CVE-2024-12849
• https://github.com/advisories/GHSA-899p-f2mf-g895