CVE-2024-13671 is a path traversal vulnerability classified under CWE-22 found in the efreja Music Sheet Viewer plugin for WordPress. The vulnerability exists in the read_score_file() function, which fails to properly sanitize or restrict the pathname input, allowing attackers to traverse directories and read arbitrary files on the server. This flaw affects all versions up to and including 4.1 of the plugin. Because the vulnerability can be exploited remotely without authentication or user interaction, an attacker can directly request files outside the intended directory scope. The arbitrary file read can expose sensitive server files such as configuration files, credentials, or other private data, potentially leading to further compromise. The vulnerability has a CVSS 3.1 base score of 7.5, indicating high severity due to the network attack vector, low attack complexity, no privileges required, and no user interaction needed. No known public exploits have been reported yet, but the vulnerability is publicly disclosed and thus may be targeted soon. The affected plugin is used on WordPress sites that serve music sheet content, and the vulnerability could be leveraged to gain intelligence on the server environment or escalate attacks. The lack of a patch at the time of disclosure increases the urgency for mitigation.

The primary impact of CVE-2024-13671 is unauthorized disclosure of sensitive information through arbitrary file reads. Attackers can access configuration files, database credentials, private keys, or other sensitive data stored on the server, which can facilitate further attacks such as privilege escalation, data theft, or site compromise. Since the vulnerability does not affect integrity or availability directly, the main concern is confidentiality breach. Organizations worldwide running WordPress sites with this plugin are at risk, especially those hosting sensitive or regulated data. Exploitation could lead to compliance violations, reputational damage, and increased risk of follow-on attacks. The ease of exploitation without authentication or user interaction means attackers can automate scanning and exploitation at scale, increasing the threat surface. The lack of known exploits in the wild currently limits immediate widespread damage, but the public disclosure raises the likelihood of future exploitation attempts.

1. Immediately disable or uninstall the efreja Music Sheet Viewer plugin if it is not essential to your WordPress site functionality. 2. If the plugin is required, restrict access to the plugin’s files and endpoints via web server configuration (e.g., .htaccess rules or firewall rules) to trusted IP addresses only. 3. Monitor web server logs for suspicious requests attempting directory traversal patterns or accessing unexpected files. 4. Implement a Web Application Firewall (WAF) with rules to detect and block path traversal attempts targeting the plugin. 5. Regularly back up site data and configurations to enable recovery in case of compromise. 6. Stay alert for official patches or updates from the vendor and apply them promptly once available. 7. Conduct a security audit of the WordPress environment to identify other potential vulnerabilities or outdated plugins. 8. Limit file permissions on the server to minimize exposure of sensitive files to the web server user. 9. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates.