CVE-2024-12152

MIPL WC Multisite Sync <= 1.1.5 - Unauthenticated Arbitrary File Download

Description

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'mipl_wc_sync_download_log' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

References

Link	Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/575d1e24-d23d-4589-bb71-f52efec1ac58?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3216574%40mipl-wc-multisite-sync&new=3216574%40mipl-wc-multisite-sync&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3215735%40mipl-wc-multisite-sync&new=3215735%40mipl-wc-multisite-sync&sfp_email=&sfph_mail=

Frequently Asked Questions

What is the severity of CVE-2024-12152?: CVE-2024-12152 has been scored as a high severity vulnerability.
How to fix CVE-2024-12152?: To fix CVE-2024-12152, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-12152 being actively exploited in the wild?: It is possible that CVE-2024-12152 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~4% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-12152?: CVE-2024-12152 affects mulika MIPL WC Multisite Sync – Synchronize WC Products, Orders, Customers & Coupons across multiple sites.

Description

Category

CWE-22 – Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

References

Frequently Asked Questions