CVE-2024-12849

HIGH NUCLEI

Error Log Viewer By WP Guru <1.0.1.3 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-12849. PoCs published by Boshe99, Nxploited, RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-12849, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Description

The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Exploits (3)

github WORKING POC
by Boshe99 · pythonpoc
https://github.com/Boshe99/CVE-Exploits/tree/main/CVE-2024-12849-Poc

The repository contains functional exploit code for CVE-2024-12849, targeting a WordPress plugin (3DPrint Lite 1.9.1.4) with an arbitrary file upload vulnerability. The Python script demonstrates the ability to upload a malicious file to a vulnerable target.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: WordPress Plugin 3DPrint Lite 1.9.1.4
No auth needed
Prerequisites: target URL · malicious file to upload
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2024-12849-Poc

This repository contains a functional exploit for CVE-2024-12849, which targets an arbitrary file read vulnerability in the Error Log Viewer By WP Guru WordPress plugin. The exploit checks the plugin version and performs unauthenticated file reads via the `wp_ajax_nopriv_elvwp_log_download` AJAX action.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Error Log Viewer By WP Guru WordPress plugin <= 1.0.1.3
No auth needed
Prerequisites: Target must have the vulnerable plugin installed and accessible
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by RandomRobbieBF · poc
https://github.com/RandomRobbieBF/CVE-2024-12849

The repository contains a functional proof-of-concept for CVE-2024-12849, demonstrating an unauthenticated arbitrary file read vulnerability in the Error Log Viewer By WP Guru WordPress plugin. The exploit leverages the `wp_ajax_nopriv_elvwp_log_download` AJAX action to read sensitive files like `/etc/passwd`.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Error Log Viewer By WP Guru WordPress plugin <= 1.0.1.3
No auth needed
Prerequisites: WordPress site with vulnerable plugin installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

Error Log Viewer By WP Guru <= 1.0.1.3 - Missing Authorization to Arbitrary File Read
HIGHVERIFIEDby s4e-io
Shodan: http.html:"wp-content/plugins/error-log-viewer-wp"
FOFA: body="wp-content/plugins/error-log-viewer-wp"

References (4)

Core 4

Scores

CVSS v3 7.5
EPSS 0.4714
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (1)
wpguruin/Error Log Viewer By WP Guru < 1.0.1.3
Published Jan 07, 2025
Tracked Since Feb 18, 2026