CVE-2024-12571 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-12571?

CVE-2024-12571 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to include and execute arbitrary files on WordPress servers running the vulnerable Store Locator plugin. Attackers can achieve remote code execution by exploiting a Local File Inclusion flaw via the 'sl_engine' parameter. All WordPress sites using LotsOfLocales Store Locator plugin version 3.98.9 are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to include and execute arbitrary files on WordPress servers running the vulnerable Store Locator plugin. Attackers can achieve remote code execution by exploiting a Local File Inclusion flaw via the 'sl_engine' parameter. All WordPress sites using LotsOfLocales Store Locator plugin version 3.98.9 are affected.

💻 Affected Systems

Products:

Store Locator for WordPress with Google Maps – LotsOfLocales

Versions: 3.98.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with this specific plugin version. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, malware deployment, website defacement, and lateral movement within the network.

🟠

Likely Case

Attackers upload malicious PHP files disguised as images, then execute them via LFI to gain shell access and establish persistence.

🟢

If Mitigated

If proper file upload restrictions and web application firewalls are in place, attackers may only be able to read sensitive files but not execute code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attackers can chain this with file upload functionality for code execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.98.10 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/store-locator/trunk/sl-functions.php#L1919

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Store Locator for WordPress with Google Maps – LotsOfLocales'. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block requests containing suspicious sl_engine parameter values

ModSecurity rule: SecRule ARGS:sl_engine "@rx \.\.|\/|\\" "id:1001,phase:2,deny,status:403,msg:'LFI attempt via sl_engine'"
Cloudflare WAF rule: Block requests with sl_engine parameter containing path traversal sequences

File Upload Restriction

all

Prevent upload of executable files disguised as images

Add to .htaccess: <FilesMatch "\.(php|php3|php4|php5|phtml|phar)$">
    Order Allow,Deny
    Deny from all
</FilesMatch>
WordPress filter: add_filter('upload_mimes', 'restrict_upload_mimes'); function restrict_upload_mimes($mimes) { unset($mimes['php'], $mimes['php3'], $mimes['php4'], $mimes['php5'], $mimes['phtml'], $mimes['phar']); return $mimes; }

🧯 If You Can't Patch

Immediately disable or remove the Store Locator plugin from all WordPress installations
Implement strict network segmentation to isolate affected WordPress servers from critical infrastructure

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Store Locator plugin version. If version is exactly 3.98.9, system is vulnerable.

Check Version:

wp plugin list --name='Store Locator for WordPress with Google Maps – LotsOfLocales' --field=version

Verify Fix Applied:

Verify plugin version is 3.98.10 or higher. Test sl_engine parameter with path traversal payloads (e.g., ../../../etc/passwd) - should return error or be blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests containing 'sl_engine' parameter with path traversal sequences (../, ..\, %2e%2e%2f)
Multiple failed attempts to access system files via web requests
Unexpected PHP file execution from upload directories

Network Indicators:

Unusual outbound connections from web server to external IPs
HTTP requests with encoded path traversal in parameters

SIEM Query:

source="web_server_logs" AND (sl_engine="*../*" OR sl_engine="*..\\*" OR sl_engine="*%2e%2e%2f*")

📊 Metadata

CVE ID: CVE-2024-12571

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

Published: December 20, 2024

Last Updated: December 20, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12571, you might also want to check these: