CVE-2024-12558 – The WP BASE Booking plugin for WordPress has a ... (How to Fix)

Q: What is the severity of CVE-2024-12558?

CVE-2024-12558 has a CVSS score of 6.5 (MEDIUM). The WP BASE Booking plugin for WordPress has a missing capability check that allows authenticated users with Subscriber-level access or higher to export database contents, potentially exposing sensitive information like hashed administrator passwords. This affects all WordPress sites using the plugin up to version 4.9.2.

📋 TL;DR

The WP BASE Booking plugin for WordPress has a missing capability check that allows authenticated users with Subscriber-level access or higher to export database contents, potentially exposing sensitive information like hashed administrator passwords. This affects all WordPress sites using the plugin up to version 4.9.2.

💻 Affected Systems

Products:

WP BASE Booking of Appointments, Services and Events WordPress plugin

Versions: All versions up to and including 4.9.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Any authenticated user (Subscriber role or higher) can exploit this.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain administrator password hashes, crack them, gain full administrative access, and compromise the entire WordPress site and potentially the server.

🟠

Likely Case

Attackers export sensitive booking data, customer information, and potentially password hashes, leading to data breach and privacy violations.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized export attempts are detected and blocked before data exfiltration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple - just calling the vulnerable export_db function without proper authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.0

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3210164/wp-base-booking-of-appointments-services-and-events/tags/5.0.0/includes/freeons/export-import.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'WP BASE Booking of Appointments, Services and Events'. 4. Click 'Update Now' if available, or download version 5.0.0+ from WordPress repository. 5. Activate the updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the WP BASE Booking plugin until patched

wp plugin deactivate wp-base-booking-of-appointments-services-and-events

Restrict user registration

all

Disable new user registration to prevent attackers from obtaining Subscriber accounts

Update WordPress Settings → General → Membership to 'Anyone can register' = unchecked

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to the export_db function from non-admin users
Monitor and audit user activity logs for unauthorized export attempts and database access patterns

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'WP BASE Booking' version. If version is 4.9.2 or lower, you are vulnerable.

Check Version:

wp plugin get wp-base-booking-of-appointments-services-and-events --field=version

Verify Fix Applied:

After updating, verify plugin version shows 5.0.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /wp-admin/admin-ajax.php with action=export_db from non-admin users
Unusual database export operations in WordPress logs
Multiple failed authentication attempts followed by successful Subscriber login and export activity

Network Indicators:

Unusual outbound data transfers from WordPress admin interface
Patterns of authenticated users accessing export functionality

SIEM Query:

source="wordpress.log" AND ("action=export_db" OR "export_db") AND user_role!="administrator"

📊 Metadata

CVE ID: CVE-2024-12558

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-862

Published: December 21, 2024

Last Updated: December 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12558, you might also want to check these: