CVE-2024-13600
Published: 12 February 2025
Description
The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the 'majesticsupportdata' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/uploads/majesticsupportdata directory which can contain file attachments included in support tickets.
Security Summary
CVE-2024-13600 is a sensitive information exposure vulnerability (CWE-200) in the Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin for WordPress, affecting all versions up to and including 1.0.5. The flaw arises from insecure storage of sensitive data in the /wp-content/uploads/majesticsupportdata directory, which can contain file attachments included in support tickets, allowing unauthenticated access to this data.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation enables extraction of sensitive data from the exposed directory, resulting in high confidentiality impact but no impact on integrity or availability, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Advisories and plugin references indicate mitigation through updates, including changeset 3231938 on the WordPress plugins trac, with affected code visible in the uploads.php file for version 1.0.5. Wordfence provides additional threat intelligence on the vulnerability.
Details
- CWE(s)