Arbitrary File Read Vulnerability in Error Log Viewer by WP Guru Plugin
CVE-2024-12849

7.5HIGH

Key Information:

Vendor
Wordpress
Status
Error Log Viewer By WP Guru
Vendor
CVE Published:
7 January 2025

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 88%

Summary

The Error Log Viewer By WP Guru plugin for WordPress is susceptible to an Arbitrary File Read vulnerability present in all versions up to and including 1.0.1.3. This flaw allows unauthenticated attackers to exploit the wp_ajax_nopriv_elvwp_log_download AJAX action to gain unauthorized access to sensitive files on the server. The vulnerability can lead to the exposure of confidential information, potentially compromising the security of the entire WordPress installation.

Affected Version(s)

Error Log Viewer By WP Guru * <= 1.0.1.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-12849
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/error-log-view...
https://plugins.trac.wordpress.org/browser/error-log-view...

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

muhammad yudha
.