CVE-2024-13600: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ahmadmj Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
CVE-2024-13600 is a high-severity vulnerability in the Majestic Support WordPress plugin that allows unauthenticated attackers to access sensitive information stored insecurely in the /wp-content/uploads/majesticsupportdata directory. This exposure occurs because the plugin does not properly restrict access to file attachments included in support tickets, potentially leaking confidential data. The vulnerability affects all versions up to and including 1. 0. 5 and requires no authentication or user interaction to exploit. Although no known exploits are currently in the wild, the ease of access and high confidentiality impact make this a significant risk. Organizations using this plugin should prioritize patching or mitigating this issue to prevent unauthorized data disclosure.
AI Analysis
Technical Summary
CVE-2024-13600 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin for WordPress. The flaw exists in all versions up to 1.0.5 due to improper access controls on the 'majesticsupportdata' directory located at /wp-content/uploads/. This directory stores file attachments submitted through support tickets, which may contain sensitive or confidential information. Because the directory is accessible without authentication, attackers can directly retrieve these files by navigating to the directory URL, bypassing any intended access restrictions. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability poses a significant risk of data leakage for organizations using this plugin.
Potential Impact
The primary impact of CVE-2024-13600 is unauthorized disclosure of sensitive information, which can include personal data, internal communications, or proprietary documents attached to support tickets. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), reputational damage, and potential legal consequences. Since the vulnerability requires no authentication and can be exploited remotely, any website using the affected plugin version is at risk. Attackers could harvest sensitive attachments en masse, potentially leading to targeted phishing campaigns or further exploitation. The lack of impact on integrity and availability means the threat is focused on confidentiality breaches, but the sensitivity of the exposed data can be critical depending on the organization's sector and data handled.
Mitigation Recommendations
1. Immediately update the Majestic Support plugin to a version that addresses this vulnerability once released by the vendor. 2. Until a patch is available, restrict access to the /wp-content/uploads/majesticsupportdata directory using web server configuration (e.g., .htaccess rules for Apache or location blocks for Nginx) to allow access only to authenticated users or block direct URL access entirely. 3. Implement file access controls within WordPress to ensure attachments are served only to authorized users. 4. Regularly audit the contents of the majesticsupportdata directory to identify and remove any sensitive files that should not be publicly accessible. 5. Monitor web server logs for suspicious access attempts to this directory. 6. Consider encrypting sensitive attachments before upload or using alternative secure storage solutions. 7. Educate support staff on minimizing sensitive data in attachments and using secure communication channels.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-13600: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in ahmadmj Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin
Description
CVE-2024-13600 is a high-severity vulnerability in the Majestic Support WordPress plugin that allows unauthenticated attackers to access sensitive information stored insecurely in the /wp-content/uploads/majesticsupportdata directory. This exposure occurs because the plugin does not properly restrict access to file attachments included in support tickets, potentially leaking confidential data. The vulnerability affects all versions up to and including 1. 0. 5 and requires no authentication or user interaction to exploit. Although no known exploits are currently in the wild, the ease of access and high confidentiality impact make this a significant risk. Organizations using this plugin should prioritize patching or mitigating this issue to prevent unauthorized data disclosure.
AI-Powered Analysis
Technical Analysis
CVE-2024-13600 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin for WordPress. The flaw exists in all versions up to 1.0.5 due to improper access controls on the 'majesticsupportdata' directory located at /wp-content/uploads/. This directory stores file attachments submitted through support tickets, which may contain sensitive or confidential information. Because the directory is accessible without authentication, attackers can directly retrieve these files by navigating to the directory URL, bypassing any intended access restrictions. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact is primarily on confidentiality (C:H), with no impact on integrity or availability. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability poses a significant risk of data leakage for organizations using this plugin.
Potential Impact
The primary impact of CVE-2024-13600 is unauthorized disclosure of sensitive information, which can include personal data, internal communications, or proprietary documents attached to support tickets. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR, HIPAA), reputational damage, and potential legal consequences. Since the vulnerability requires no authentication and can be exploited remotely, any website using the affected plugin version is at risk. Attackers could harvest sensitive attachments en masse, potentially leading to targeted phishing campaigns or further exploitation. The lack of impact on integrity and availability means the threat is focused on confidentiality breaches, but the sensitivity of the exposed data can be critical depending on the organization's sector and data handled.
Mitigation Recommendations
1. Immediately update the Majestic Support plugin to a version that addresses this vulnerability once released by the vendor. 2. Until a patch is available, restrict access to the /wp-content/uploads/majesticsupportdata directory using web server configuration (e.g., .htaccess rules for Apache or location blocks for Nginx) to allow access only to authenticated users or block direct URL access entirely. 3. Implement file access controls within WordPress to ensure attachments are served only to authorized users. 4. Regularly audit the contents of the majesticsupportdata directory to identify and remove any sensitive files that should not be publicly accessible. 5. Monitor web server logs for suspicious access attempts to this directory. 6. Consider encrypting sensitive attachments before upload or using alternative secure storage solutions. 7. Educate support staff on minimizing sensitive data in attachments and using secure communication channels.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-21T17:58:03.612Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e63b7ef31ef0b59f5aa
Added to database: 2/25/2026, 9:49:23 PM
Last enriched: 2/25/2026, 11:12:38 PM
Last updated: 2/26/2026, 8:07:50 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25191: Uncontrolled Search Path Element in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-23703: Incorrect default permissions in Digital Arts Inc. FinalCode Ver.5 series
HighCVE-2026-1311: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in bearsthemes Worry Proof Backup
HighCVE-2026-2506: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in motahar1 EM Cost Calculator
MediumCVE-2026-2499: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in tgrk Custom Logo
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.