CVE-2024-12535

HIGH

Host PHP Info <1.0.5 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-12535. PoCs published by RandomRobbieBF.

AI-analyzed exploit summary The repository provides a detailed technical description of CVE-2024-12535, an unauthorized information disclosure vulnerability in the Host PHP Info WordPress plugin (version <= 1.0.4). It includes a proof-of-concept URL demonstrating the exploit path but lacks functional exploit code.

Description

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

Exploits (1)

nomisec WRITEUP
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-12535

The repository provides a detailed technical description of CVE-2024-12535, an unauthorized information disclosure vulnerability in the Host PHP Info WordPress plugin (version <= 1.0.4). It includes a proof-of-concept URL demonstrating the exploit path but lacks functional exploit code.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Host PHP Info WordPress plugin <= 1.0.4
No auth needed
Prerequisites: WordPress installation with vulnerable plugin (activated or not)
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.6
EPSS 0.0057
EPSS Percentile 42.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
eflyjason/Host PHP Info < 1.0.4
Published Jan 07, 2025
Tracked Since Feb 18, 2026