S4E Mobile Logo

CVE-2025-24582 Scanner

CVE-2025-24582 Scanner - Information Disclosure vulnerability in 12 Step Meeting List Plugin for WordPress

Short Info


Level

Medium

Single Scan

Single Scan

Can be used by

Asset Owner

Estimated Time

10 seconds

Time Interval

12 days 21 hours

Scan only one

URL

Toolbox

The "12 Step Meeting List" plugin is designed to be used within WordPress installations by organizations or individuals managing recovery meeting events. This plugin allows users to post, update, and manage recovery meetings schedules and their details. It is widely used by non-profit recovery groups and individuals to streamline the sharing of meeting information. The software allows for extensive customization, supporting multiple types of meetings across various locations. The plugin is utilized by a community seeking to maintain privacy yet efficiently manage meeting information. It plays a critical role in digital resources for recovery support.

The Information Disclosure vulnerability in the 12 Step Meeting List plugin allows unauthorized information extraction. Attackers can exploit the issue to extract sensitive data that may include user configuration and private meeting details. This security flaw can be triggered by accessing specific AJAX endpoints without proper authentication. Such unauthorized access poses risks to privacy, making sensitive information publicly accessible. It can be particularly concerning for users relying on anonymity in recovery contexts. Malicious users could leverage the exposed information for phishing or other harmful intents.

Technical details of the vulnerability include accessing "tsml_info" and "tsml_geocodes" AJAX endpoints. These endpoints are vulnerable because they lack the necessary authentication checks, allowing direct unauthorized requests. Attackers can retrieve PHP version, WordPress version, and memory limit information via "tsml_info". Utilizing "tsml_geocodes", attackers can extract formatted addresses, latitudes, and longitudes of meeting locations. This exposure arises from inadequate controls in processing AJAX requests. The vulnerability can be exploited with minimal technical effort, through crafted HTTP GET requests to the specified paths.

When exploited, this vulnerability can lead to exposure of private meeting details and server configuration data. Individuals attending meetings may face issues related to their privacy and anonymity. Additionally, exposed server data could be used in further attacks targeted at the underlying WordPress installation. Organizations relying heavily on privacy may suffer reputational damage. The exposure of sensitive data may lead to privacy laws being breached, inciting legal repercussions. Financial penalties and loss of trust from users are also potential outcomes.

REFERENCES

Get started to protecting your digital assets