CVE-2024-12315

Published: Feb 12, 2025Modified: Feb 25, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security@wordfence.com (Secondary)

Description

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.3 via the exports directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/smack_uci_uploads/exports/ directory which can contain information like exported user data.

Affected (1)

Products: Smackcoders: Export All Posts, Products, Orders, Refunds & Users

1 product

Export All Posts, Products, Orders, Refunds & Users

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Smackcoders Export All Posts, Products, Orders, Refunds & Users	Before 2.10

Related CWEs

Insecure Storage of Sensitive Information

The product stores sensitive information without properly limiting read or write access by unauthorized actors.

References (3)

https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L1678

Source: security@wordfence.com

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3230400%40wp-ultimate-exporter&new=3230400%40wp-ultimate-exporter&sfp_email=&sfph_mail=

Source: security@wordfence.com

Patch

https://www.wordfence.com/threat-intel/vulnerabilities/id/075709e0-5f00-4d7b-80f6-96e3b4b4a895?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.