CVE-2024-12535

HIGH

Host PHP Info <1.0.5 - Info Disclosure

Title source: llm

Description

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

Exploits (1)

nomisec WRITEUP
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-12535

References (2)

Scores

CVSS v3 8.6
EPSS 0.1562
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Classification

CWE
CWE-862
Status draft

Timeline

Published Jan 07, 2025
Tracked Since Feb 18, 2026