CVE-2024-12558

MEDIUM

WP BASE Booking <4.9.2 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-12558. PoCs published by Boshe99, Nxploited, RandomRobbieBF.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-12558, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Description

The WP BASE Booking of Appointments, Services and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db function in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose sensitive information from the database, such as the hashed administrator password.

Exploits (3)

github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-12558-exploit

The repository contains functional exploit code for CVE-2024-12558, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · malicious file to upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2024-12558-exploit

This repository contains a functional exploit for CVE-2024-12558, targeting a missing capability check in the WP BASE Booking plugin for WordPress. The exploit authenticates as a low-privileged user (Subscriber+) and triggers an unauthorized database export via the 'app_export_db' action.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WP BASE Booking of Appointments, Services and Events plugin for WordPress (versions up to and including 4.9.2)
Auth required
Prerequisites: WordPress site with vulnerable plugin installed · Valid credentials (Subscriber-level or higher)
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-12558

The repository contains a functional PoC for CVE-2024-12558, demonstrating a missing authorization check in the WP BASE Booking plugin. The exploit allows authenticated attackers (Subscriber+) to export sensitive database information via the `app_export_db` function.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: WP BASE Booking of Appointments, Services and Events <= 4.9.2
Auth required
Prerequisites: Authenticated access (Subscriber+) · Target plugin installed and active
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 6.5
EPSS 0.0117
EPSS Percentile 63.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
puckrobin/WP BASE Booking of Appointments, Services and Events < 4.9.2
Published Dec 21, 2024
Tracked Since Feb 18, 2026