CVE-2024-12637
📋 TL;DR
The Moving Users WordPress plugin exposes sensitive user data through predictable JSON file locations in export functionality. Unauthenticated attackers can access email addresses, hashed passwords, and IP addresses. All WordPress sites using this plugin up to version 1.05 are affected.
💻 Affected Systems
- Moving Users WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach of all user information including email addresses, hashed passwords, and IP addresses, potentially leading to credential stuffing attacks, phishing campaigns, and privacy violations.
Likely Case
Unauthenticated attackers harvesting user email addresses and IP addresses for spam, phishing, or targeted attacks.
If Mitigated
Limited exposure if proper access controls prevent directory listing and file access, but vulnerability remains present.
🎯 Exploit Status
Exploitation requires guessing predictable file paths, which is trivial for automated tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.06 or later
Vendor Advisory: https://wordpress.org/plugins/moving-users/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Moving Users' and click 'Update Now'. 4. Verify plugin version is 1.06 or higher.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the Moving Users plugin until patched
Block Access to Export Files
linuxAdd .htaccess rules to block access to JSON export files
<Files "*.json">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Disable the Moving Users plugin immediately
- Implement web application firewall rules to block access to predictable JSON file paths
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Installed Plugins for Moving Users version 1.05 or earlierCheck Version:
wp plugin list --name=moving-users --field=versionVerify Fix Applied:
Confirm Moving Users plugin version is 1.06 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Multiple 200 OK responses for .json files in predictable paths
- Access to /wp-content/uploads/moving-users-export/ directory
Network Indicators:
- HTTP GET requests to .json files with predictable names
- Unusual traffic to export-related endpoints
SIEM Query:
source="web_logs" AND (uri="*.json" AND uri CONTAINS "moving-users-export")