CVE-2024-13613 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting the Wise Chat plugin for WordPress, developed by marcinlawrowski. The flaw exists in all versions up to and including 3.3.3, where sensitive data such as file attachments included in chat messages are stored insecurely within the /wp-content/uploads directory. This directory is typically accessible via the web server, and due to insufficient access controls, unauthenticated attackers can directly retrieve these files without any authentication or user interaction. The vulnerability stems from the plugin’s failure to properly restrict access to uploaded files, exposing potentially sensitive information to anyone with network access to the WordPress site. The issue was partially addressed in version 3.3.3, but earlier versions remain vulnerable. The CVSS v3.1 score is 7.5 (high severity), reflecting the ease of exploitation (network attack vector, no privileges required, no user interaction) and the high impact on confidentiality. Integrity and availability are not impacted. No known exploits have been reported in the wild yet, but the vulnerability poses a significant risk given the sensitive nature of chat attachments and the widespread use of WordPress and its plugins. The vulnerability was publicly disclosed in May 2025 and is tracked by Wordfence and CISA.

The primary impact of CVE-2024-13613 is the unauthorized disclosure of sensitive information, which can include private chat attachments such as documents, images, or other files shared within the Wise Chat plugin. This exposure can lead to privacy violations, data leakage, and potential compliance breaches for organizations handling sensitive or regulated data. Attackers can exploit this vulnerability remotely without authentication, increasing the risk of mass data exposure on affected WordPress sites. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can damage organizational reputation, lead to legal consequences, and facilitate further attacks such as social engineering or targeted phishing campaigns. Organizations relying on Wise Chat for internal or external communications are particularly vulnerable. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of access and high impact on confidentiality make this a critical issue to address promptly.

To mitigate CVE-2024-13613, organizations should immediately update the Wise Chat plugin to the latest available version beyond 3.3.3 where the vulnerability is partially patched or fully resolved. If updating is not immediately possible, restrict direct access to the /wp-content/uploads directory by implementing web server access controls such as .htaccess rules or equivalent configurations to prevent unauthorized file retrieval. Additionally, review and enforce strict file upload policies, including scanning uploaded files for sensitive content and limiting file types and sizes. Employ security plugins or web application firewalls (WAFs) that can detect and block suspicious requests targeting the uploads directory. Regularly audit the contents of the uploads directory for sensitive or unintended files and remove any unnecessary data. Finally, monitor web server logs for unusual access patterns that may indicate exploitation attempts. Educate site administrators on secure plugin management and the importance of timely updates to reduce exposure to known vulnerabilities.