CVE-2024-13773
Published: 14 March 2025
Description
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Security Summary
CVE-2024-13773 is a sensitive information exposure vulnerability affecting the Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress in all versions up to and including 2.1.4. The issue stems from hard-coded credentials within the plugin, which exposes sensitive data such as LinkedIn client and secret keys. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and maps to CWEs 321 (Use of Hard-coded Cryptographic Key) and 798 (Use of Hard-coded Credentials).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. Successful exploitation allows extraction of the hard-coded credentials, including LinkedIn client and secret keys, potentially enabling unauthorized access to associated services or further compromise of integrated systems.
Advisories from Wordfence provide threat intelligence on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/e3499182-7501-4fec-a7c6-b66ae47533cd?source=cve. The exposure originates in the plugin's source code at http://localhost:1337/wp-content/themes/civi/includes/class-init.php#L36.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote exploitation to extract hard-coded credentials from accessible plugin source files.