CVE-2024-6553 is an information exposure vulnerability classified under CWE-200, found in the WP Meteor Website Speed Optimization Addon plugin for WordPress, maintained by aguidrevitch. This vulnerability exists in all versions up to and including 3.4.3. The root cause is the presence of test files left in the plugin that have PHP's display_errors directive enabled, which reveals the full filesystem path of the web application when accessed. This full path disclosure occurs without requiring any authentication or user interaction, making it remotely exploitable by unauthenticated attackers. Although the disclosed information alone does not allow direct compromise, it can significantly aid attackers by providing detailed knowledge about the server environment, directory structure, and potentially the location of sensitive files. This information can be leveraged to craft more targeted attacks, such as local file inclusion, remote code execution, or privilege escalation, if other vulnerabilities exist on the same system. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting its medium severity, with an attack vector of network, low attack complexity, no privileges required, and no user interaction needed. As of the published date, no patches or fixes have been released, and no known exploits have been observed in the wild. The vulnerability was reserved and published by Wordfence, a reputable security vendor. The plugin’s reliance on the wpdesk framework and the failure to remove test files with display_errors enabled is a common security oversight that leads to this information leakage.

The primary impact of CVE-2024-6553 is the exposure of the full filesystem path of the WordPress installation to unauthenticated remote attackers. This information disclosure can facilitate reconnaissance activities, enabling attackers to better understand the target environment and identify potential attack vectors. While the vulnerability itself does not allow direct compromise of confidentiality, integrity, or availability, it lowers the barrier for successful exploitation of other vulnerabilities by providing critical environmental details. Organizations running the affected plugin may face increased risk of targeted attacks such as local file inclusion, remote code execution, or privilege escalation if other security weaknesses exist. This can lead to website defacement, data theft, or service disruption. The vulnerability affects all sites using the WP Meteor Website Speed Optimization Addon up to version 3.4.3, which may include a broad range of small to medium-sized businesses and personal websites relying on WordPress for content management and performance optimization. The lack of authentication and user interaction requirements increases the likelihood of automated scanning and exploitation attempts once a proof-of-concept is available.

To mitigate CVE-2024-6553, organizations should immediately verify and disable the PHP display_errors directive in their production environments to prevent error messages from being exposed to unauthenticated users. Specifically, ensure that the plugin’s test files that enable display_errors are removed or disabled. Administrators should audit the plugin directory for leftover test or debug files and delete them. If possible, update the WP Meteor Website Speed Optimization Addon plugin to a fixed version once released by the vendor. In the absence of an official patch, consider temporarily disabling or uninstalling the plugin to eliminate the exposure. Additionally, implement web application firewalls (WAFs) to detect and block suspicious requests targeting the plugin’s test files. Regularly monitor web server logs for unusual access patterns that may indicate reconnaissance attempts. Finally, conduct comprehensive vulnerability assessments to identify and remediate any other vulnerabilities that could be chained with this information disclosure to achieve a full compromise.