Login Sign Up

CVE-2024-43258

5.3 MEDIUM

📋 TL;DR

Store Locator Plus WordPress plugin versions up to 2311.17.01 expose sensitive information to unauthorized actors. This vulnerability allows attackers to access confidential data without authentication, affecting all WordPress sites using vulnerable versions of this plugin.

💻 Affected Systems

Products:
  • Store Locator Plus for WordPress
Versions: n/a through 2311.17.01
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all WordPress installations with vulnerable plugin versions regardless of configuration.

📦 What is this software?

Store Locator Plus by Storelocatorplus

View all CVEs affecting Store Locator Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could extract sensitive configuration data, API keys, database credentials, or user information leading to complete site compromise or data breach.

🟠

Likely Case

Unauthorized access to plugin configuration data, potentially revealing API keys or other sensitive operational information.

🟢

If Mitigated

Limited exposure of non-critical configuration data with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Information exposure vulnerabilities typically require minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2311.17.01

Vendor Advisory: https://patchstack.com/database/vulnerability/store-locator-le/wordpress-store-locator-plus-for-wordpress-plugin-2311-17-01-sensitive-data-exposure-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Store Locator Plus. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate store-locator-le

Restrict Access

all

Use web application firewall to block access to plugin endpoints

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can access the WordPress site
  • Enable detailed logging and monitoring for unauthorized access attempts to plugin endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Store Locator Plus version. If version is 2311.17.01 or earlier, you are vulnerable.

Check Version:

wp plugin get store-locator-le --field=version

Verify Fix Applied:

Verify plugin version is higher than 2311.17.01 and test that sensitive endpoints no longer expose information.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to plugin-specific endpoints
  • Multiple failed authentication attempts followed by successful data access

Network Indicators:

  • Unusual traffic to /wp-content/plugins/store-locator-le/ endpoints from unexpected sources

SIEM Query:

source="wordpress" AND (uri_path="/wp-content/plugins/store-locator-le/*" OR plugin="store-locator-le") AND status=200

📊 Metadata

CVE ID: CVE-2024-43258
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
Published: August 26, 2024
Last Updated: September 12, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43258, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)