CVE-2024-13562 identifies a sensitive information exposure vulnerability in the Import WP – Export and Import CSV and XML files to WordPress plugin, maintained by jcollings. This plugin facilitates importing and exporting data via CSV and XML files within WordPress environments. Versions up to and including 2.14.5 improperly secure files stored in the /wp-content/uploads/ directory, allowing unauthenticated attackers to directly access these files. Since the uploads directory is typically web-accessible, attackers can enumerate and retrieve sensitive data such as user information or other imported content without any authentication or user interaction. The root cause is a lack of proper access controls or restrictions on uploaded files, leading to exposure classified under CWE-200. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to its network exploitable nature (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H). Integrity and availability are not affected. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin up to 2.14.5, making it critical for site administrators to address this promptly to avoid data breaches.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information stored within the WordPress uploads directory. This can lead to significant confidentiality breaches, exposing personal user data, business-sensitive information, or other private content imported via the plugin. For organizations, this can result in reputational damage, regulatory non-compliance (e.g., GDPR, HIPAA), and potential legal liabilities. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker scanning for vulnerable WordPress sites. The scope includes any WordPress installation using the affected plugin versions, which could be widespread given WordPress's global popularity. Although integrity and availability are not impacted, the confidentiality breach alone is critical, especially for sites handling sensitive or personal data. The absence of known exploits currently provides a window for mitigation, but the ease of exploitation and public availability of the plugin increase the risk of future attacks.

1. Immediate mitigation involves updating the Import WP plugin to a patched version once released by the vendor. Monitor official channels for patch announcements. 2. Until a patch is available, restrict direct access to the /wp-content/uploads/ directory by implementing web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny or limit access to sensitive file types or directories used by the plugin. 3. Employ security plugins or web application firewalls (WAFs) that can detect and block unauthorized access attempts to the uploads directory. 4. Regularly audit and remove any sensitive files inadvertently stored in publicly accessible directories. 5. Implement strict file permission policies on the server to prevent unauthorized read access. 6. Monitor web server logs for unusual access patterns targeting the uploads directory. 7. Educate site administrators on secure plugin management and the risks of outdated components. These steps collectively reduce exposure until an official patch is applied.