CVE-2024-12066: 
WordPress vulnerability analysis and mitigation

The SMSA Shipping(official) WordPress plugin contains a critical security vulnerability (CVE-2024-12066) discovered and disclosed on December 21, 2024. The vulnerability affects all versions up to and including 2.2 of the plugin. This security issue stems from insufficient file path validation in the smsadeletelabel() function (NVD Database).

The vulnerability is classified as an External Control of File Name or Path (CWE-73) issue. It has received a CVSS v3.1 Base Score of 8.8 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs low privileges, and can result in high impacts to confidentiality, integrity, and availability (NVD Database).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the server. This capability is particularly dangerous as it can lead to remote code execution when critical files, such as wp-config.php, are targeted for deletion (NVD Database).

Users should immediately update their SMSA Shipping(official) WordPress plugin to a version newer than 2.2 if available. Until an update is applied, it is recommended to restrict access to subscriber-level accounts and carefully monitor file system activities (NVD Database).