CVE-2024-13535: CWE-209 Generation of Error Message Containing Sensitive Information in marcoingraiti Actionwear products sync
The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'display_errors' set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
AI Analysis
Technical Summary
CVE-2024-13535 is a medium severity vulnerability in the Actionwear products sync WordPress plugin (up to version 2.3.2) caused by the composer-setup.php file being publicly accessible with 'display_errors' set to true. This configuration leads to full path disclosure, allowing unauthenticated attackers to retrieve the absolute file system path of the web application. The information disclosed is limited in impact by itself but can assist attackers in crafting further exploits if other vulnerabilities exist. There is no evidence of active exploitation in the wild, and no patch or official remediation guidance has been provided as of the publication date.
Potential Impact
The vulnerability allows attackers to obtain the full path of the web application, which is sensitive information that can aid in further attacks. However, the disclosed information alone does not compromise confidentiality, integrity, or availability directly. The impact is limited to information disclosure classified as low confidentiality impact with no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict public access to the composer-setup.php file and disable 'display_errors' in the production environment to prevent error messages from revealing sensitive path information.
CVE-2024-13535: CWE-209 Generation of Error Message Containing Sensitive Information in marcoingraiti Actionwear products sync
Description
The Actionwear products sync plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.3.2. This is due the composer-setup.php file being publicly accessible with 'display_errors' set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-13535 is a medium severity vulnerability in the Actionwear products sync WordPress plugin (up to version 2.3.2) caused by the composer-setup.php file being publicly accessible with 'display_errors' set to true. This configuration leads to full path disclosure, allowing unauthenticated attackers to retrieve the absolute file system path of the web application. The information disclosed is limited in impact by itself but can assist attackers in crafting further exploits if other vulnerabilities exist. There is no evidence of active exploitation in the wild, and no patch or official remediation guidance has been provided as of the publication date.
Potential Impact
The vulnerability allows attackers to obtain the full path of the web application, which is sensitive information that can aid in further attacks. However, the disclosed information alone does not compromise confidentiality, integrity, or availability directly. The impact is limited to information disclosure classified as low confidentiality impact with no integrity or availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict public access to the composer-setup.php file and disable 'display_errors' in the production environment to prevent error messages from revealing sensitive path information.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-20T15:20:50.412Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e5fb7ef31ef0b59f15a
Added to database: 2/25/2026, 9:49:19 PM
Last enriched: 4/9/2026, 1:09:47 PM
Last updated: 4/12/2026, 3:48:02 PM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.