CVE-2024-13617
Published: 25 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2024-13617 is a vulnerability in the aoa-downloadable WordPress plugin through version 0.1.0. The issue stems from the plugin's download function failing to validate a parameter, which allows unauthenticated attackers to download arbitrary files from the server.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation results in high confidentiality impact by enabling access to sensitive server files, reflected in the CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), due to the changed scope.
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/8d6dd979-21ef-4d14-9c42-bbd1d7b65c53/.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly facilitating T1190 (exploitation of public-facing app for initial access) and T1005 (collection of data from local system files).