CVE-2024-13367 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the barteled Sandbox plugin for WordPress, specifically all versions up to and including 0.4. The root cause is the absence of a proper capability check on the export_download action within the plugin. This flaw allows any authenticated user with at least Subscriber-level privileges to invoke the export_download functionality and retrieve a complete copy of the sandbox environment. The sandbox environment can contain highly sensitive files, notably wp-config.php, which includes database credentials, salts, and other configuration parameters critical to the security and operation of the WordPress site. The vulnerability is remotely exploitable without user interaction and requires only low privileges, which are commonly assigned to registered users or subscribers on WordPress sites. The CVSS v3.1 base score is 6.5, reflecting a medium severity level due to the high confidentiality impact but no impact on integrity or availability. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the published date. The vulnerability poses a significant risk of sensitive data leakage, which could facilitate further attacks such as database compromise or privilege escalation if exploited.

The primary impact of CVE-2024-13367 is unauthorized disclosure of sensitive information, including database credentials and configuration details stored in wp-config.php. This can lead to further compromise of the WordPress site, including data theft, site defacement, or complete takeover if attackers leverage the exposed credentials. Since the vulnerability requires only Subscriber-level access, which is commonly granted to registered users or commenters, the attack surface is broad. Organizations running WordPress sites with the vulnerable Sandbox plugin risk exposure of internal configuration data, potentially affecting customer privacy, intellectual property, and operational security. The lack of impact on integrity and availability limits the scope to confidentiality breaches, but the consequences of leaked credentials can be severe. This vulnerability could be exploited in targeted attacks against high-value websites or in automated scanning campaigns against WordPress installations worldwide.

To mitigate CVE-2024-13367, organizations should immediately audit their WordPress installations for the presence of the barteled Sandbox plugin and verify the version in use. Since no official patch is currently linked, temporary mitigations include disabling or uninstalling the Sandbox plugin until a fix is released. Restricting user roles and minimizing the assignment of Subscriber-level access can reduce the risk surface. Additionally, implementing web application firewalls (WAFs) with custom rules to block unauthorized export_download requests can help prevent exploitation. Monitoring access logs for unusual export_download activity is recommended to detect potential exploitation attempts. Site administrators should also ensure that sensitive files like wp-config.php are protected via server-level access controls and not accessible via direct URL requests. Once a patch becomes available, prompt application is critical. Regular backups and incident response plans should be in place to respond to any compromise resulting from this vulnerability.