CVE-2024-13536 is a vulnerability classified under CWE-209 (Generation of Error Message Containing Sensitive Information) found in the 8blocks 1003 Mortgage Application WordPress plugin, affecting all versions up to and including 1.87. The vulnerability arises because the PHP file located at /inc/class/fnm/export.php is publicly accessible and has error logging enabled, which causes it to reveal the full filesystem path of the web application when an error occurs. This full path disclosure can provide attackers with valuable information about the server's directory structure, which can be leveraged to facilitate other attacks such as local file inclusion, remote code execution, or privilege escalation, especially if other vulnerabilities exist in the environment. The vulnerability does not require any authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, meaning it is remotely exploitable with low attack complexity, no privileges or user interaction needed, and impacts confidentiality only by disclosing information. No known active exploits have been reported in the wild to date. The vulnerability is primarily a result of improper error handling and exposure of sensitive debug information in a production environment, which is a common security misconfiguration. No patches or fixes have been linked yet, so mitigation requires configuration changes or temporary workarounds.

The primary impact of CVE-2024-13536 is the disclosure of sensitive information, specifically the full filesystem path of the web application. While this does not directly compromise confidentiality, integrity, or availability, it significantly aids attackers by revealing internal server structure details that can be used to identify other vulnerabilities or craft targeted attacks. For organizations using the 1003 Mortgage Application plugin, this could increase the risk of chained attacks such as local file inclusion, code injection, or privilege escalation if other vulnerabilities exist. The exposure of path information can also assist in bypassing security controls or evading detection. Since the vulnerability is exploitable without authentication or user interaction, it increases the attack surface for external threat actors. However, because the disclosed information alone is not sufficient to cause direct harm, the overall risk is medium. Organizations in the mortgage and financial sectors, which rely on this plugin for sensitive customer data processing, could face reputational damage or regulatory scrutiny if exploited in combination with other flaws.

To mitigate CVE-2024-13536, organizations should immediately restrict public access to the /inc/class/fnm/export.php file by implementing web server rules (e.g., .htaccess deny directives or equivalent in NGINX) to block unauthenticated requests. Disabling detailed error message display and error logging in production environments is critical to prevent leakage of sensitive information. Administrators should review and harden PHP error reporting settings (e.g., setting display_errors to Off and log_errors to On with secure log storage). Monitoring web server logs for suspicious access attempts to this file can help detect exploitation attempts. Until an official patch is released by 8blocks, consider temporarily removing or replacing the plugin if feasible, or isolating the affected WordPress instance in a segmented network environment. Regularly update WordPress and all plugins to the latest versions and subscribe to vendor advisories for patch notifications. Conduct security audits to identify and remediate any additional vulnerabilities that could be chained with this information disclosure. Employ web application firewalls (WAFs) with custom rules to block requests targeting this file or exhibiting suspicious patterns.