CVE-2024-6549: CWE-200 Information Exposure in coffee2code Admin Post Navigation
CVE-2024-6549 is a medium severity vulnerability in the WordPress plugin Admin Post Navigation by coffee2code. It allows unauthenticated attackers to retrieve the full filesystem path of the web application due to leftover test files with display_errors enabled. This full path disclosure does not directly compromise confidentiality, integrity, or availability but can aid attackers in crafting further attacks if combined with other vulnerabilities. The vulnerability affects all versions up to and including 2. 1. No known exploits are currently reported in the wild. The vulnerability requires no authentication or user interaction and has a CVSS score of 5. 3. Organizations using this plugin should update or mitigate exposure to prevent information leakage that could facilitate more severe attacks.
AI Analysis
Technical Summary
CVE-2024-6549 is an information disclosure vulnerability classified under CWE-200 affecting the Admin Post Navigation WordPress plugin developed by coffee2code. The root cause is the presence of test files left in the plugin that have PHP's display_errors directive enabled, which reveals the full filesystem path of the web server hosting the WordPress site. This vulnerability exists in all plugin versions up to and including 2.1. An unauthenticated attacker can trigger error messages that disclose the absolute path to the web application directory. While the disclosed information alone does not allow direct compromise, it can be leveraged to facilitate other attacks such as local file inclusion, path traversal, or targeted exploitation of other vulnerabilities by providing attackers with precise directory structure knowledge. The vulnerability does not impact integrity or availability directly and requires no privileges or user interaction to exploit. No public exploits have been reported yet, but the presence of this information leakage increases the attack surface and risk for affected sites. The CVSS 3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and the limited impact of the disclosed information alone.
Potential Impact
The primary impact of CVE-2024-6549 is the exposure of sensitive internal information about the web server's directory structure. This information can significantly aid attackers in crafting more effective attacks, such as local file inclusion, remote code execution, or privilege escalation, especially if other vulnerabilities exist on the same system. Organizations running the vulnerable plugin may face increased risk of targeted attacks and exploitation chains. Although the vulnerability itself does not allow direct compromise, it lowers the barrier for attackers to identify and exploit other weaknesses. This can lead to data breaches, website defacement, or service disruption if combined with additional vulnerabilities. The impact is particularly relevant for websites with sensitive data or critical business functions relying on WordPress and this plugin.
Mitigation Recommendations
To mitigate CVE-2024-6549, organizations should immediately update the Admin Post Navigation plugin to a version where this issue is fixed once available. Until a patch is released, administrators should manually remove or disable any test files that enable display_errors or other debugging features within the plugin directory. Additionally, configuring the PHP environment to disable display_errors on production servers is critical to prevent information leakage. Web application firewalls (WAFs) can be configured to block requests that trigger error messages or access test files. Regular security audits and vulnerability scanning should be performed to detect such information disclosures. Monitoring logs for suspicious requests targeting plugin files can help identify exploitation attempts. Finally, reducing the attack surface by limiting plugin usage to only necessary components and following WordPress security best practices will help mitigate risk.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-6549: CWE-200 Information Exposure in coffee2code Admin Post Navigation
Description
CVE-2024-6549 is a medium severity vulnerability in the WordPress plugin Admin Post Navigation by coffee2code. It allows unauthenticated attackers to retrieve the full filesystem path of the web application due to leftover test files with display_errors enabled. This full path disclosure does not directly compromise confidentiality, integrity, or availability but can aid attackers in crafting further attacks if combined with other vulnerabilities. The vulnerability affects all versions up to and including 2. 1. No known exploits are currently reported in the wild. The vulnerability requires no authentication or user interaction and has a CVSS score of 5. 3. Organizations using this plugin should update or mitigate exposure to prevent information leakage that could facilitate more severe attacks.
AI-Powered Analysis
Technical Analysis
CVE-2024-6549 is an information disclosure vulnerability classified under CWE-200 affecting the Admin Post Navigation WordPress plugin developed by coffee2code. The root cause is the presence of test files left in the plugin that have PHP's display_errors directive enabled, which reveals the full filesystem path of the web server hosting the WordPress site. This vulnerability exists in all plugin versions up to and including 2.1. An unauthenticated attacker can trigger error messages that disclose the absolute path to the web application directory. While the disclosed information alone does not allow direct compromise, it can be leveraged to facilitate other attacks such as local file inclusion, path traversal, or targeted exploitation of other vulnerabilities by providing attackers with precise directory structure knowledge. The vulnerability does not impact integrity or availability directly and requires no privileges or user interaction to exploit. No public exploits have been reported yet, but the presence of this information leakage increases the attack surface and risk for affected sites. The CVSS 3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation and the limited impact of the disclosed information alone.
Potential Impact
The primary impact of CVE-2024-6549 is the exposure of sensitive internal information about the web server's directory structure. This information can significantly aid attackers in crafting more effective attacks, such as local file inclusion, remote code execution, or privilege escalation, especially if other vulnerabilities exist on the same system. Organizations running the vulnerable plugin may face increased risk of targeted attacks and exploitation chains. Although the vulnerability itself does not allow direct compromise, it lowers the barrier for attackers to identify and exploit other weaknesses. This can lead to data breaches, website defacement, or service disruption if combined with additional vulnerabilities. The impact is particularly relevant for websites with sensitive data or critical business functions relying on WordPress and this plugin.
Mitigation Recommendations
To mitigate CVE-2024-6549, organizations should immediately update the Admin Post Navigation plugin to a version where this issue is fixed once available. Until a patch is released, administrators should manually remove or disable any test files that enable display_errors or other debugging features within the plugin directory. Additionally, configuring the PHP environment to disable display_errors on production servers is critical to prevent information leakage. Web application firewalls (WAFs) can be configured to block requests that trigger error messages or access test files. Regular security audits and vulnerability scanning should be performed to detect such information disclosures. Monitoring logs for suspicious requests targeting plugin files can help identify exploitation attempts. Finally, reducing the attack surface by limiting plugin usage to only necessary components and following WordPress security best practices will help mitigate risk.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-08T14:00:13.429Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c06b7ef31ef0b55f1a3
Added to database: 2/25/2026, 9:39:18 PM
Last enriched: 2/26/2026, 3:13:44 AM
Last updated: 2/26/2026, 11:16:33 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
HighCVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.