CVE-2024-13540 is a vulnerability classified under CWE-209 (Generation of Error Message Containing Sensitive Information) found in the WooODT Lite – Delivery & pickup date time location for WooCommerce plugin for WordPress. The vulnerability exists because the PHP file /inc/bycwooodt_get_all_orders.php is publicly accessible and, upon encountering an error, outputs a detailed error message that includes the full file system path of the web application. This full path disclosure can provide attackers with valuable information about the server's directory structure, which can be leveraged to facilitate further attacks such as local file inclusion, path traversal, or targeted exploitation of other vulnerabilities. The vulnerability affects all versions up to and including 2.5.1 of the plugin. Exploitation requires no authentication or user interaction, making it remotely exploitable over the network. However, the disclosed information alone is not sufficient to cause direct harm; it must be combined with other vulnerabilities to escalate an attack. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the low impact on confidentiality (limited to path disclosure), no impact on integrity or availability, and ease of exploitation. No patches have been linked yet, and no known exploits are reported in the wild. The vulnerability was publicly disclosed in February 2025.

The primary impact of CVE-2024-13540 is information disclosure, specifically the full file system path of the affected web server. While this does not directly compromise sensitive data or system integrity, it can significantly aid attackers by revealing the directory structure, which is often a critical piece of reconnaissance in web application attacks. This information can be used to craft more effective attacks such as local file inclusion, remote code execution, or privilege escalation if other vulnerabilities exist. For organizations running WooCommerce stores using this plugin, this increases the risk profile of their web infrastructure. Attackers could use the disclosed path information to bypass security controls or identify the location of configuration files and sensitive scripts. Although the vulnerability does not cause direct service disruption or data loss, it lowers the barrier for attackers to exploit other weaknesses, potentially leading to more severe breaches. The impact is thus indirect but meaningful in a layered attack scenario.

To mitigate CVE-2024-13540, organizations should take the following specific actions: 1) Immediately update the WooODT Lite plugin to a version that addresses this vulnerability once available from the vendor. 2) Until a patch is released, restrict public access to the /inc/bycwooodt_get_all_orders.php file by configuring web server rules (e.g., .htaccess or nginx configuration) to deny or limit access to trusted IP addresses only. 3) Disable detailed error messages in production environments by configuring PHP and WordPress error reporting settings to prevent leakage of sensitive information. 4) Conduct a thorough security review of the WordPress environment to identify and remediate any other vulnerabilities that could be combined with this information disclosure. 5) Monitor web server logs for suspicious access attempts to the vulnerable endpoint. 6) Employ web application firewalls (WAFs) to detect and block exploitation attempts targeting this vulnerability. 7) Educate development and operations teams about secure error handling practices to avoid similar issues in custom code.