CVE-2024-12849: 
WordPress vulnerability analysis and mitigation

The Error Log Viewer By WP Guru plugin for WordPress contains an Arbitrary File Read vulnerability (CVE-2024-12849) affecting all versions up to and including 1.0.1.3. The vulnerability exists in the wpajaxnoprivelvwplog_download AJAX action, which allows unauthenticated attackers to read arbitrary files on the server (NVD).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). It has received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no privileges required, and high confidentiality impact (NVD, FortiGuard).

Successful exploitation of this vulnerability allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. The vulnerability has an exploit prediction score of 0.53% (FortiGuard).

Users are advised to update to a version newer than 1.0.1.3 of the Error Log Viewer By WP Guru plugin. If immediate updating is not possible, it is recommended to remove or disable the plugin until an update can be applied (FortiGuard).