CVE-2024-12535 HIGH

CVE-2024-12535: Host PHP Info <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Disclosure

Vendor Eflyjason

Product Host PHP Info

Weakness CWE-862 · Missing authorization

Published January 7, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

Key dates

02Disclosure timeline

January 7, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-12535

Related vulnerabilities

CVE-2024-12535: Host PHP Info <= 1.0.4 - Missing Authorization to Unauthenticated Sensitive Information Disclosure

01Description

02Disclosure timeline

03References

04Related CVE