CVE-2024-12066

Name of the Vulnerable Software and Affected Versions SMSA Shipping plugin for WordPress versions up to, and including, 2.2

Description The SMSA Shipping plugin for WordPress has a flaw in the smsa delete label() function due to insufficient file path validation. This issue allows authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server. Such actions can lead to remote code execution when critical files, like wp-config.php, are deleted.

Recommendations For versions up to, and including, 2.2, consider disabling the smsa delete label() function until a patch is available to prevent arbitrary file deletion. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially for users with Subscriber-level access and above. Avoid using the plugin until an updated version that fixes the insufficient file path validation issue is released. At the moment, there is no information about a newer version that contains a fix for this vulnerability.