CVE-2024-13791 is a relative path traversal vulnerability (CWE-23) identified in the Bit Assist WordPress plugin 'Chat Widget: Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button' developed by bitpressadmin. The vulnerability affects all versions up to and including 1.5.2 and resides in the downloadResponseFile() function. This function improperly validates or sanitizes user-supplied input used to construct file paths, allowing an authenticated attacker with Administrator-level privileges or higher to traverse directories and access arbitrary files on the server filesystem. Exploiting this vulnerability does not require user interaction but does require elevated privileges, which limits the attacker scope to trusted users with admin access. The ability to read arbitrary files can expose sensitive data such as configuration files, credentials, or other private information stored on the server. The vulnerability has a CVSS v3.1 base score of 4.9, indicating medium severity, with attack vector being network-based, low attack complexity, high privileges required, no user interaction, and high confidentiality impact but no impact on integrity or availability. No public exploits or patches have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly.

The primary impact of CVE-2024-13791 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. For organizations, this can lead to exposure of critical data such as database credentials, API keys, configuration files, or personally identifiable information (PII), potentially facilitating further attacks like privilege escalation or lateral movement. Since exploitation requires administrator-level access, the risk is heightened in environments where multiple users have elevated privileges or where credentials may be compromised. The vulnerability does not directly affect system integrity or availability but can undermine confidentiality and trust in the affected systems. Organizations relying on the Bit Assist plugin for customer support and live chat functionalities may face reputational damage and compliance risks if sensitive data is leaked. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks or insider threat scenarios.

To mitigate CVE-2024-13791, organizations should first check for updates or patches from the vendor and apply them promptly once available. In the absence of official patches, administrators should restrict access to the WordPress admin panel to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Reviewing and limiting the number of users with Administrator-level privileges can minimize the attack surface. Additionally, implementing web application firewalls (WAFs) with rules to detect and block path traversal attempts may provide temporary protection. Monitoring server logs for unusual file access patterns related to the downloadResponseFile() function can help detect exploitation attempts. As a longer-term measure, developers should sanitize and validate all file path inputs rigorously to prevent directory traversal. Backup sensitive data regularly and ensure incident response plans are in place to address potential data breaches.