CVE-2024-13537: CWE-209 Generation of Error Message Containing Sensitive Information in ttoomey C9 Blocks
The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
AI Analysis
Technical Summary
CVE-2024-13537 is a medium severity vulnerability in the ttoomey C9 Blocks WordPress plugin (up to version 1.7.7) where a publicly accessible composer-setup.php file with error display enabled leads to full path disclosure. This information leak can assist attackers in crafting further attacks but does not itself allow direct compromise. The vulnerability is due to improper error handling that exposes sensitive path information to unauthenticated users.
Potential Impact
The vulnerability allows unauthenticated attackers to obtain the full filesystem path of the web application, which may facilitate other attacks if additional vulnerabilities exist. There is no direct impact on confidentiality, integrity, or availability from this issue alone.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, it is recommended to restrict access to the composer-setup.php file or disable error display on production environments to prevent path disclosure.
CVE-2024-13537: CWE-209 Generation of Error Message Containing Sensitive Information in ttoomey C9 Blocks
Description
The C9 Blocks plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.7.7. This is due the plugin containing a publicly accessible composer-setup.php file with error display enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-13537 is a medium severity vulnerability in the ttoomey C9 Blocks WordPress plugin (up to version 1.7.7) where a publicly accessible composer-setup.php file with error display enabled leads to full path disclosure. This information leak can assist attackers in crafting further attacks but does not itself allow direct compromise. The vulnerability is due to improper error handling that exposes sensitive path information to unauthenticated users.
Potential Impact
The vulnerability allows unauthenticated attackers to obtain the full filesystem path of the web application, which may facilitate other attacks if additional vulnerabilities exist. There is no direct impact on confidentiality, integrity, or availability from this issue alone.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the meantime, it is recommended to restrict access to the composer-setup.php file or disable error display on production environments to prevent path disclosure.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-20T15:28:11.947Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e5fb7ef31ef0b59f162
Added to database: 2/25/2026, 9:49:19 PM
Last enriched: 4/9/2026, 6:40:48 AM
Last updated: 4/12/2026, 3:31:44 AM
Views: 17
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.