CVE-2024-13818
Published: 21 February 2025
Description
The Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.8.4 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information about users contained in the exposed log files.
Security Summary
CVE-2024-13818 is a sensitive information exposure vulnerability (CWE-532) affecting the Registration Forms – User Registration Forms, Invitation-Based Registrations, Front-end User Profile, Login Form & Content Restriction plugin for WordPress, in all versions up to and including 3.8.4. The issue stems from publicly exposed log files that contain potentially sensitive user information. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity, as the log files are publicly accessible without requiring privileges or user interaction. Successful exploitation allows attackers to view sensitive user data stored in these logs, potentially including registration details, profiles, or login-related information, enabling reconnaissance or further targeted attacks.
References include the plugin's source code at line 68 in base_variables.php, a changeset detailing the fix between revisions 3246810 and 3255985 in the pie-register trunk, and a Wordfence threat intelligence advisory, which collectively indicate that updating the plugin addresses the exposure of log files. Security practitioners should verify installations of this plugin and apply updates promptly.
Details
- CWE(s)