CVE-2024-12571 in Store Locator Plugin
Summary
by MITRE • 12/20/2024
The Store Locator for WordPress with Google Maps – LotsOfLocales plugin for WordPress is vulnerable to Local File Inclusion in version 3.98.9 via the 'sl_engine' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/20/2024
The vulnerability identified as CVE-2024-12571 affects the Store Locator for WordPress with Google Maps plugin, specifically version 3.98.9, which is a widely used component for managing location-based data within WordPress environments. This plugin facilitates the integration of Google Maps functionality to display store locations and related information, making it a common target for attackers seeking to exploit WordPress installations. The vulnerability stems from inadequate input validation within the plugin's handling of the 'sl_engine' parameter, which is used to determine the engine responsible for processing location data and map rendering. This flaw represents a classic Local File Inclusion vulnerability that allows attackers to manipulate the plugin's behavior through crafted input parameters.
The technical exploitation of this vulnerability occurs when an attacker submits a malicious value to the 'sl_engine' parameter, which is then processed without proper sanitization or validation. This parameter is intended to specify which engine should handle the location data processing, but due to insufficient input filtering, an attacker can manipulate the parameter to include arbitrary local files from the server filesystem. The vulnerability is particularly dangerous because it allows for arbitrary code execution through PHP file inclusion, meaning that if attackers can upload files with PHP extensions or if the server allows PHP execution in directories where uploaded files are stored, they can execute malicious code with the privileges of the web server. This represents a direct violation of the principle of least privilege and can lead to complete compromise of the affected WordPress installation.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with the capability to bypass existing access controls and obtain sensitive information from the server. An unauthenticated attacker can leverage this vulnerability to read sensitive files from the WordPress installation directory, potentially accessing configuration files that contain database credentials, API keys, or other sensitive data. The vulnerability also enables attackers to upload and execute malicious PHP files, which can be used to establish persistent access, create backdoors, or deploy additional malware. This type of vulnerability is particularly concerning in WordPress environments where plugins often have extensive filesystem access and where the default security model may not adequately protect against such attacks.
Mitigation strategies for this vulnerability should include immediate patching of the affected plugin to version 3.98.10 or later, which addresses the input validation flaw through proper sanitization of the 'sl_engine' parameter. Organizations should also implement network-level protections such as web application firewalls that can detect and block malicious requests attempting to exploit this vulnerability. Additionally, the principle of least privilege should be enforced by restricting the web server's filesystem access and ensuring that uploaded files are stored in directories that do not allow PHP execution. The vulnerability aligns with CWE-22, which describes improper limitation of a pathname to a restricted directory, and represents a technique that could be categorized under ATT&CK matrix tactic TA0001 (Initial Access) and technique T1190 (Exploit Public-Facing Application). Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes, as this type of vulnerability is commonly found in poorly secured WordPress components.