The BigBuy Dropshipping Connector for WooCommerce plugin for WordPress contains a vulnerability identified as CVE-2024-13538, classified under CWE-209 (Generation of Error Message Containing Sensitive Information). The issue arises because the PHP script located at /vendor/cocur/slugify/bin/generate-default.php is directly accessible via the web and triggers an error that reveals the full filesystem path of the web application. This full path disclosure occurs in all versions up to and including 1.9.19 of the plugin. Since the error message leaks sensitive internal path information, it can assist attackers in reconnaissance activities, such as identifying directory structures and potential locations of other sensitive files or scripts. The vulnerability is exploitable remotely without any authentication or user interaction, making it accessible to unauthenticated attackers. However, the disclosed information alone does not lead to immediate compromise; it requires chaining with other vulnerabilities to cause significant damage. The CVSS v3.1 base score is 5.3 (medium), reflecting limited confidentiality impact and no impact on integrity or availability. No patches or exploit code are currently publicly available, and no known active exploitation has been reported. The vulnerability is primarily a security information leak that can facilitate further targeted attacks against affected WordPress installations using this plugin.

The primary impact of CVE-2024-13538 is information disclosure, specifically revealing the full filesystem path of the web application hosting the vulnerable plugin. While this does not directly compromise data confidentiality, integrity, or availability, it provides attackers with valuable intelligence that can be leveraged to identify other vulnerabilities or misconfigurations. For organizations running e-commerce sites on WordPress with the BigBuy Dropshipping Connector plugin, this could increase the risk of targeted attacks such as local file inclusion, remote code execution, or privilege escalation if other vulnerabilities exist. The ease of exploitation (no authentication or user interaction required) increases the likelihood of reconnaissance attempts. However, since the disclosed information alone is not sufficient to cause damage, the overall risk remains medium. Organizations with sensitive customer data or critical e-commerce operations could face increased exposure if attackers combine this vulnerability with others. The lack of known exploits in the wild suggests limited immediate threat but does not preclude future exploitation attempts.

To mitigate CVE-2024-13538, organizations should take the following specific actions: 1) Immediately update the BigBuy Dropshipping Connector for WooCommerce plugin to a patched version once available from the vendor. If no patch is currently released, consider temporarily disabling or removing the plugin to eliminate exposure. 2) Restrict direct web access to the /vendor/cocur/slugify/bin/generate-default.php file by configuring web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny all HTTP requests to this path. 3) Implement web application firewall (WAF) rules to detect and block requests attempting to access known vulnerable paths or trigger error messages. 4) Review and harden error handling and logging configurations to avoid exposing sensitive internal information in error responses. 5) Conduct a comprehensive vulnerability assessment of the WordPress environment to identify and remediate other potential vulnerabilities that could be chained with this information disclosure. 6) Monitor logs for unusual access patterns targeting the vulnerable file or error messages indicative of exploitation attempts. 7) Educate development and operations teams about secure coding practices to prevent information leakage in error messages.