CVE-2024-12266: 
WordPress vulnerability analysis and mitigation

The ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress (CVE-2024-12266) contains a missing authorization vulnerability discovered by Fariq Fadillah Gusti Insani. The vulnerability affects all versions up to and including 2.1.7, with the issue being publicly disclosed on December 23, 2024 (WPScan).

The vulnerability stems from missing capability checks in the elexdpexportrules() and elexdpimportrules() functions. It has been assigned a CVSS v3.1 score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is classified as CWE-862 (Missing Authorization) and falls under the OWASP Top 10 category A5: Broken Access Control (NVD, WPScan).

The vulnerability allows unauthenticated attackers to import and export product rules and obtain phpinfo() data, potentially exposing sensitive configuration information and allowing unauthorized manipulation of pricing rules (NVD).

The vulnerability has been fixed in version 2.1.8 of the ELEX WooCommerce Dynamic Pricing and Discounts plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).