CVE-2024-12535: 
WordPress vulnerability analysis and mitigation

The Host PHP Info plugin for WordPress contains a vulnerability (CVE-2024-12535) discovered in January 2025. The vulnerability affects all versions up to and including 1.0.4, stemming from a missing capability check when including the 'phpinfo' function. Notably, the plugin doesn't need to be activated for the vulnerability to be exploitable (NVD).

The vulnerability is classified as CWE-862 (Missing Authorization) and has received a CVSS v3.1 Base Score of 8.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. This scoring indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges or user interaction, and can result in high confidentiality impact (NVD).

The vulnerability allows unauthenticated attackers to read configuration settings and predefined variables on the site's server, potentially exposing sensitive information about the server's configuration (NVD).

The vulnerability was initially reported by security researcher Francesco Carlucci and was subsequently analyzed by Wordfence's threat intelligence team (Wordfence).