CVE-2024-12849
📋 TL;DR
The Error Log Viewer By WP Guru WordPress plugin contains an unauthenticated arbitrary file read vulnerability. Attackers can exploit this to read any file on the server, potentially exposing sensitive configuration files, credentials, or other confidential data. All WordPress sites using this plugin up to version 1.0.1.3 are affected.
💻 Affected Systems
- Error Log Viewer By WP Guru WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via reading sensitive files like wp-config.php containing database credentials, SSH keys, or other configuration files leading to full site takeover.
Likely Case
Exposure of sensitive information including database credentials, API keys, user data, and server configuration details.
If Mitigated
Limited impact if file permissions restrict access to sensitive files, but still exposes readable files.
🎯 Exploit Status
Exploitation requires sending crafted AJAX requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.0.1.3
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Error Log Viewer By WP Guru'. 4. Click 'Update Now' if available, or delete and reinstall latest version. 5. Verify plugin version is above 1.0.1.3.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
WordPressRemove or restrict access to the vulnerable wp_ajax_nopriv_elvwp_log_download action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_elvwp_log_download', 'elvwp_log_download');
Web Application Firewall rule
allBlock requests to the vulnerable AJAX endpoint
WAF rule to block: POST requests containing 'action=elvwp_log_download'
🧯 If You Can't Patch
- Immediately disable the Error Log Viewer By WP Guru plugin
- Implement strict file permissions (chmod 600 for sensitive files like wp-config.php)
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Error Log Viewer By WP Guru version. If version is 1.0.1.3 or lower, you are vulnerable.Check Version:
wp plugin list --name='error-log-viewer-wp' --field=versionVerify Fix Applied:
Verify plugin version is above 1.0.1.3. Test by attempting to access /wp-admin/admin-ajax.php?action=elvwp_log_download with a file parameter - should return error or no data.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=elvwp_log_download' parameter
- Unusual file access patterns from unauthenticated users
Network Indicators:
- HTTP POST requests containing 'elvwp_log_download' in parameters
- Unusual spikes in requests to admin-ajax.php
SIEM Query:
source="web_logs" AND uri_path="/wp-admin/admin-ajax.php" AND http_method="POST" AND query_string="*action=elvwp_log_download*"🔗 References
- https://plugins.trac.wordpress.org/browser/error-log-viewer-wp/tags/1.0.1.3/error-log-viewer-wp.php#L295
- https://plugins.trac.wordpress.org/browser/error-log-viewer-wp/tags/1.0.1.3/error-log-viewer-wp.php#L479
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3215563%40error-log-viewer-wp&new=3215563%40error-log-viewer-wp&sfp_email=&sfph_mail=#file10
- https://www.wordfence.com/threat-intel/vulnerabilities/id/57888e36-3a61-4452-b4ea-9db9e422dc2d?source=cve
