cbcvebase.
CVE-2024-12849
published 2025-01-07

CVE-2024-12849: The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the…

PriorityP271high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
47.14%
98.7th percentile
The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpguruinerror_log_viewer_by_wp_guru<= 1.0.1.3

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=elvwp_log_download&elvwp_error_log_download=1&elvwp_error_log=/etc/passwd
path/wp-content/plugins/error-log-viewer-wp
otherhttp.html:"wp-content/plugins/error-log-viewer-wp"
otherbody="wp-content/plugins/error-log-viewer-wp"
  • Detect exploitation attempts by monitoring POST requests to /wp-admin/admin-ajax.php with the AJAX action parameter 'elvwp_log_download' and the 'elvwp_error_log' parameter containing path traversal or sensitive file paths (e.g., /etc/passwd). No authentication is required by the attacker.
  • The vulnerable AJAX action is registered as wp_ajax_nopriv_elvwp_log_download, meaning it is accessible to unauthenticated users. Presence of the plugin path '/wp-content/plugins/error-log-viewer-wp' in page source confirms the vulnerable plugin is installed.
  • ·The vulnerability affects all versions up to and including 1.0.1.3 of the Error Log Viewer By WP Guru plugin. Ensure version checks are part of any scanning logic.
  • ·The Nuclei template uses a two-step flow: first confirming plugin presence via a GET to the homepage, then sending the exploit POST. Single-step detections may produce false positives on sites without the plugin installed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.