CVE-2024-12850: 
WordPress vulnerability analysis and mitigation

The Database Backup and check Tables Automated With Scheduler 2024 plugin for WordPress contains a Directory Traversal vulnerability (CVE-2024-12850) affecting all versions up to and including 2.32. The vulnerability was discovered and disclosed on December 23, 2024, and primarily affects WordPress installations with this specific plugin installed (Wordfence Intel).

The vulnerability exists in the database_backup_ajax_download() function of the plugin. It has been classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and received a CVSS v3.1 score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. This indicates that while the vulnerability requires high privileges to exploit, it can be accessed over the network and requires no user interaction (NVD Database).

The vulnerability allows authenticated attackers with administrator-level access or higher to read the contents of arbitrary files on the server. This could lead to the exposure of sensitive information stored in various server files (NVD Database).

Users should update their Database Backup and check Tables Automated With Scheduler 2024 plugin to a version newer than 2.32 when available. Until then, careful monitoring of administrator access and activities is recommended (NVD Database).