CVE-2024-13535: CWE-209 Generation of Error Message Containing Sensitive Information in marcoingraiti Actionwear products sync
CVE-2024-13535 is a medium-severity vulnerability affecting the Actionwear products sync plugin for WordPress up to version 2. 3. 0. It allows unauthenticated attackers to obtain full path disclosure due to the publicly accessible composer-setup. php file with display_errors enabled. While the disclosed information alone does not directly compromise the system, it can facilitate further attacks if combined with other vulnerabilities. The vulnerability does not impact integrity or availability and requires no user interaction or authentication. No known exploits are currently in the wild. Organizations using this plugin should restrict access to sensitive files and disable error display in production environments to mitigate risk. Countries with significant WordPress usage and e-commerce deployments are most likely to be affected.
AI Analysis
Technical Summary
CVE-2024-13535 is a vulnerability classified under CWE-209 (Generation of Error Message Containing Sensitive Information) found in the Actionwear products sync plugin for WordPress, versions up to and including 2.3.0. The root cause is that the composer-setup.php file is publicly accessible and configured with 'display_errors' set to true, which causes detailed error messages to be shown to unauthenticated users. This results in full path disclosure of the web application’s directory structure. Full path disclosure can aid attackers by revealing the underlying file system layout, which can be leveraged to craft more effective attacks such as local file inclusion, directory traversal, or privilege escalation when combined with other vulnerabilities. The vulnerability does not directly allow code execution, data modification, or denial of service, but it lowers the attacker's effort in reconnaissance. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation (network, no privileges, no user interaction) but limited impact (confidentiality only, no integrity or availability impact). No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed in February 2025 and assigned by Wordfence.
Potential Impact
The primary impact of this vulnerability is information disclosure, specifically revealing the full file system path of the WordPress installation. While this does not directly compromise confidentiality of sensitive user data or system integrity, it provides attackers with valuable intelligence that can be used to identify other vulnerabilities or misconfigurations. For organizations, this can increase the risk of targeted attacks such as remote code execution or privilege escalation if other weaknesses exist. The vulnerability does not affect availability and does not require authentication or user interaction, making it accessible to any remote attacker. The overall risk is moderate but can be significant in environments where multiple vulnerabilities coexist or where attackers are conducting reconnaissance for more complex attacks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately restrict public access to the composer-setup.php file and any other sensitive setup or configuration files. This can be done by removing these files from the web root after installation or by configuring web server rules (e.g., .htaccess or nginx config) to deny access. Additionally, the 'display_errors' PHP setting should be disabled (set to 'Off') in production environments to prevent error messages from being shown to users. Updating the plugin to a patched version when available is recommended. In the meantime, monitoring web server logs for attempts to access composer-setup.php and other sensitive files can help detect reconnaissance activity. Employing a Web Application Firewall (WAF) to block suspicious requests targeting known vulnerable paths can further reduce risk. Regular security audits and vulnerability scanning of WordPress plugins should be part of the security hygiene to detect similar issues proactively.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-13535: CWE-209 Generation of Error Message Containing Sensitive Information in marcoingraiti Actionwear products sync
Description
CVE-2024-13535 is a medium-severity vulnerability affecting the Actionwear products sync plugin for WordPress up to version 2. 3. 0. It allows unauthenticated attackers to obtain full path disclosure due to the publicly accessible composer-setup. php file with display_errors enabled. While the disclosed information alone does not directly compromise the system, it can facilitate further attacks if combined with other vulnerabilities. The vulnerability does not impact integrity or availability and requires no user interaction or authentication. No known exploits are currently in the wild. Organizations using this plugin should restrict access to sensitive files and disable error display in production environments to mitigate risk. Countries with significant WordPress usage and e-commerce deployments are most likely to be affected.
AI-Powered Analysis
Technical Analysis
CVE-2024-13535 is a vulnerability classified under CWE-209 (Generation of Error Message Containing Sensitive Information) found in the Actionwear products sync plugin for WordPress, versions up to and including 2.3.0. The root cause is that the composer-setup.php file is publicly accessible and configured with 'display_errors' set to true, which causes detailed error messages to be shown to unauthenticated users. This results in full path disclosure of the web application’s directory structure. Full path disclosure can aid attackers by revealing the underlying file system layout, which can be leveraged to craft more effective attacks such as local file inclusion, directory traversal, or privilege escalation when combined with other vulnerabilities. The vulnerability does not directly allow code execution, data modification, or denial of service, but it lowers the attacker's effort in reconnaissance. The CVSS v3.1 score is 5.3 (medium), reflecting the ease of exploitation (network, no privileges, no user interaction) but limited impact (confidentiality only, no integrity or availability impact). No known exploits have been reported in the wild, and no patches have been linked yet. The vulnerability was publicly disclosed in February 2025 and assigned by Wordfence.
Potential Impact
The primary impact of this vulnerability is information disclosure, specifically revealing the full file system path of the WordPress installation. While this does not directly compromise confidentiality of sensitive user data or system integrity, it provides attackers with valuable intelligence that can be used to identify other vulnerabilities or misconfigurations. For organizations, this can increase the risk of targeted attacks such as remote code execution or privilege escalation if other weaknesses exist. The vulnerability does not affect availability and does not require authentication or user interaction, making it accessible to any remote attacker. The overall risk is moderate but can be significant in environments where multiple vulnerabilities coexist or where attackers are conducting reconnaissance for more complex attacks.
Mitigation Recommendations
To mitigate this vulnerability, organizations should immediately restrict public access to the composer-setup.php file and any other sensitive setup or configuration files. This can be done by removing these files from the web root after installation or by configuring web server rules (e.g., .htaccess or nginx config) to deny access. Additionally, the 'display_errors' PHP setting should be disabled (set to 'Off') in production environments to prevent error messages from being shown to users. Updating the plugin to a patched version when available is recommended. In the meantime, monitoring web server logs for attempts to access composer-setup.php and other sensitive files can help detect reconnaissance activity. Employing a Web Application Firewall (WAF) to block suspicious requests targeting known vulnerable paths can further reduce risk. Regular security audits and vulnerability scanning of WordPress plugins should be part of the security hygiene to detect similar issues proactively.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-20T15:20:50.412Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e5fb7ef31ef0b59f15a
Added to database: 2/25/2026, 9:49:19 PM
Last enriched: 2/26/2026, 12:14:14 AM
Last updated: 2/26/2026, 9:48:46 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighCVE-2026-28083: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in UX-themes Flatsome
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.