CVE-2024-12152 Overview
CVE-2024-12152 is a directory traversal vulnerability in the MIPL WC Multisite Sync plugin for WordPress. The flaw affects all versions up to and including 1.1.5. The vulnerability resides in the mipl_wc_sync_download_log action handler, which fails to validate user-supplied file path input. Unauthenticated remote attackers can read arbitrary files on the underlying server. Accessible files often contain sensitive data such as wp-config.php credentials, private keys, and application logs. The issue is tracked under CWE-22: Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated attackers can read arbitrary files on the WordPress host, exposing database credentials and secrets that enable full site compromise.
Affected Products
- MIPL WC Multisite Sync plugin for WordPress, versions up to and including 1.1.5
- WordPress installations using the vulnerable plugin in single-site or multisite configurations
- Any WooCommerce environment relying on the plugin for cross-site synchronization
Discovery Timeline
- 2025-01-07 - CVE-2024-12152 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-12152
Vulnerability Analysis
The vulnerability stems from insufficient input sanitization in the mipl_wc_sync_download_log AJAX action. The handler accepts a filename parameter and passes it directly to file read operations without normalizing the path. Attackers supply traversal sequences such as ../../../../etc/passwd or ../../../wp-config.php to escape the intended log directory. The EPSS score of 7.69% places this issue in the 92nd percentile for exploitation likelihood, reflecting the trivial exploitation pattern common to WordPress plugin path traversal flaws. Because the endpoint is reachable without authentication, any attacker who can send an HTTP request to the WordPress installation can extract file contents.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The plugin treats the user-supplied parameter as a trusted log filename and concatenates it into a file path without canonicalization or allowlist validation. The handler also lacks capability checks such as current_user_can(), leaving the action accessible to unauthenticated visitors.
Attack Vector
Exploitation occurs over the network through the WordPress admin-ajax.php endpoint. An attacker sends a crafted GET or POST request invoking the mipl_wc_sync_download_log action with a traversal payload in the filename parameter. The server responds with the contents of the requested file. The Wordfence advisory documents the action name and the affected versions. See the Wordfence Vulnerability Analysis and the WordPress Plugin Changeset for technical details on the patched code paths.
Detection Methods for CVE-2024-12152
Indicators of Compromise
- Requests to /wp-admin/admin-ajax.php containing the parameter action=mipl_wc_sync_download_log
- Path traversal sequences such as ../, ..%2f, or URL-encoded variants in request parameters
- Successful HTTP 200 responses with Content-Disposition: attachment headers returning non-log content
- Web server access logs showing unauthenticated reads followed by lateral activity using exposed credentials
Detection Strategies
- Inspect WordPress access logs for the mipl_wc_sync_download_log action paired with suspicious filename parameters
- Deploy web application firewall rules that block traversal patterns targeting admin-ajax.php
- Correlate file read responses with subsequent authentication attempts against the WordPress database or admin panel
Monitoring Recommendations
- Forward WordPress, PHP, and reverse proxy logs to a centralized analytics platform for query-driven hunting
- Alert on outbound responses containing strings such as DB_PASSWORD, AUTH_KEY, or BEGIN PRIVATE KEY originating from admin-ajax.php
- Track installed plugin inventory across WordPress hosts to identify systems still running MIPL WC Multisite Sync 1.1.5 or earlier
How to Mitigate CVE-2024-12152
Immediate Actions Required
- Update the MIPL WC Multisite Sync plugin to a patched release beyond version 1.1.5
- If a patched version is not available, deactivate and remove the plugin from all WordPress sites
- Rotate WordPress salts, database passwords, and any API keys stored in wp-config.php after confirming exploitation is no longer possible
- Audit web logs for prior exploitation attempts against the mipl_wc_sync_download_log action
Patch Information
The vendor addressed the issue in WordPress plugin changesets 3215735 and 3216574. Review the first changeset and the follow-up changeset for the corrected file handling logic. Apply the latest plugin version from the WordPress.org repository.
Workarounds
- Block requests containing action=mipl_wc_sync_download_log at the WAF or reverse proxy until the plugin is patched
- Restrict access to /wp-admin/admin-ajax.php from untrusted networks where feasible
- Apply strict file system permissions so the PHP process cannot read sensitive files outside the WordPress webroot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
