CVE-2024-12152: MIPL WC Multisite Sync <= 1.1.5 - Unauthenticated Arbitrary File Download

7.5 CVSS

Description

The MIPL WC Multisite Sync plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.1.5 via the 'mipl_wc_sync_download_log' action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Classification

CVE ID: CVE-2024-12152

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

Affected Products

Vendor: mulika

Product: MIPL WC Multisite Sync – Synchronize WC Products, Orders, Customers & Coupons across multiple sites

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.06% (probability of being exploited)

EPSS Percentile: 30.63% (scored less or equal to compared to others)

EPSS Date: 2025-02-05 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/575d1e24-d23d-4589-bb71-f52efec1ac58?source=cve
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3216574%40mipl-wc-multisite-sync&new=3216574%40mipl-wc-multisite-sync&sfp_email=&sfph_mail=
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3215735%40mipl-wc-multisite-sync&new=3215735%40mipl-wc-multisite-sync&sfp_email=&sfph_mail=

Timeline

2025-01-08 00:30:16 UTC
CVE

MIPL WC Multisite Sync <= 1.1.5 - Unauthenticated Arbitrary File Download