The vulnerability identified as CVE-2024-13539 affects the AForms Eats plugin for WordPress, specifically all versions up to and including 1.3.1. The root cause is the presence of a publicly accessible file located at /vendor/aura/payload-interface/phpunit.php, which is part of the plugin's vendor dependencies. This file improperly exposes error messages that reveal the full filesystem path of the web application. This type of vulnerability is classified under CWE-209, which involves the generation of error messages containing sensitive information. The disclosed full path information can be leveraged by attackers to better understand the server environment and directory structure, which can facilitate further attacks such as local file inclusion, directory traversal, or targeted exploitation of other vulnerabilities. The vulnerability requires no authentication and no user interaction, making it trivially accessible to any remote attacker. However, the information disclosed is not directly harmful by itself and requires the presence of additional vulnerabilities to result in significant compromise. The CVSS v3.1 base score is 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and limited confidentiality impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability was publicly disclosed on February 12, 2025, and assigned by Wordfence.

The primary impact of this vulnerability is information disclosure, specifically the leakage of the full filesystem path of the web application hosting the AForms Eats plugin. While this does not directly compromise data confidentiality, integrity, or availability, it provides attackers with valuable reconnaissance information that can be used to facilitate more severe attacks. For example, knowledge of the full path can aid in exploiting local file inclusion or directory traversal vulnerabilities, or in crafting payloads that rely on specific directory structures. Organizations running vulnerable versions of the plugin on WordPress sites may face increased risk of targeted attacks if other vulnerabilities exist. The impact is limited if the environment is otherwise secure and hardened, but in complex web hosting environments or shared hosting, this information leakage can be a stepping stone for attackers. Given the widespread use of WordPress globally, the potential attack surface is significant, although the direct damage from this vulnerability alone is low.

To mitigate this vulnerability, organizations should immediately remove or restrict access to the /vendor/aura/payload-interface/phpunit.php file within the AForms Eats plugin directory. Since no official patch is currently linked, manual removal or disabling of this file is recommended to prevent public access. Additionally, administrators should ensure that error reporting is disabled or properly configured in production environments to avoid leaking sensitive information. Employing web application firewalls (WAFs) to block access to known sensitive files and directories can provide an additional layer of defense. Regularly updating the plugin when official patches become available is critical. Conducting comprehensive security audits to identify and remediate other vulnerabilities is important since this information disclosure vulnerability alone requires other weaknesses to be exploited effectively. Finally, monitoring web server logs for suspicious access attempts to this or similar files can help detect exploitation attempts early.