The vulnerability identified as CVE-2024-13451 affects the WordPress plugin 'Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder' developed by bitpressadmin. Versions up to and including 2.17.4 suffer from sensitive information exposure (CWE-200) due to insufficient protections on uploaded files. Specifically, the plugin fails to prevent directory listing and does not randomize file names for uploaded content, allowing unauthenticated attackers to enumerate and retrieve sensitive files uploaded through the contact forms. This flaw arises because uploaded files are stored in predictable locations with predictable names, and directory browsing is not disabled or restricted, enabling attackers to access these files directly via HTTP requests. The vulnerability impacts confidentiality but does not affect integrity or availability. The issue was partially addressed in version 2.17.5, though the patch may not fully mitigate all exposure vectors. No authentication or user interaction is required to exploit this vulnerability, increasing its risk profile. While no active exploits have been reported, the ease of exploitation and potential for sensitive data leakage make this a significant concern for websites using this plugin. The CVSS 3.1 base score is 5.3, reflecting medium severity with network attack vector, low attack complexity, and no privileges or user interaction needed.

The primary impact of CVE-2024-13451 is the unauthorized disclosure of sensitive information uploaded via the affected contact forms. This can include personally identifiable information (PII), payment details, or other confidential data submitted by users. Exposure of such data can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential legal consequences for affected organizations. Since the vulnerability allows unauthenticated remote attackers to access files, any website using the vulnerable plugin version is at risk of data leakage without any direct interaction from the victim. This can undermine user trust and may facilitate further attacks if sensitive configuration or credential files are exposed. The vulnerability does not impact system integrity or availability, but the confidentiality breach alone is significant. Organizations relying on this plugin for customer interactions or payment processing are particularly at risk. The lack of known exploits suggests limited active targeting currently, but the straightforward nature of the vulnerability means it could be weaponized quickly once widely known.

To mitigate CVE-2024-13451, organizations should immediately update the 'Contact Form by Bit Form' plugin to version 2.17.5 or later, where partial fixes have been applied. However, given the partial nature of the patch, additional measures are recommended: 1) Disable directory listing on web servers hosting the plugin to prevent attackers from enumerating uploaded files. 2) Implement strict access controls on upload directories, such as restricting access via .htaccess or equivalent web server configuration to authenticated users only. 3) Consider moving uploaded files outside the web root or storing them in locations inaccessible via direct HTTP requests. 4) Monitor web server logs for suspicious access patterns targeting upload directories. 5) If feasible, customize or extend the plugin to enforce randomized file names and secure file storage practices. 6) Conduct regular security audits and vulnerability scans to detect exposure. 7) Educate site administrators on secure plugin management and timely patching. These steps will reduce the risk of sensitive data exposure beyond relying solely on plugin updates.