CVE-2024-6554 is an information exposure vulnerability classified under CWE-200 that affects the Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress. The vulnerability exists because the plugin uses composer dependencies without adequately restricting direct access to these files. This misconfiguration allows unauthenticated attackers to retrieve the full filesystem path of the web server hosting the WordPress site. The full path disclosure can reveal directory structures and installation paths, which are valuable reconnaissance information for attackers planning further exploitation, such as local file inclusion or remote code execution, if other vulnerabilities are present. The vulnerability affects all versions up to and including 3.4.18. Exploitation requires no authentication or user interaction and can be performed remotely over the network. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the limited impact on confidentiality and no direct impact on integrity or availability. No known exploits have been reported in the wild, and no official patches have been published at the time of disclosure. The vulnerability's root cause is a failure to prevent direct HTTP access to composer files, which should be protected via web server configuration or plugin code changes. This issue highlights the importance of secure handling of third-party dependencies within WordPress plugins to prevent information leakage.

The primary impact of CVE-2024-6554 is the disclosure of the full filesystem path of the WordPress installation to unauthenticated attackers. While this information alone does not compromise sensitive data or system integrity, it significantly aids attackers in crafting more effective attacks by revealing the directory structure and environment details. This can facilitate exploitation of other vulnerabilities such as local file inclusion, path traversal, or privilege escalation. For organizations, this means an increased risk profile if other security weaknesses exist in their WordPress environment. The vulnerability does not directly affect availability or integrity, and no user credentials or sensitive content are exposed by itself. However, the ease of exploitation without authentication and user interaction means that attackers can perform reconnaissance at scale, potentially targeting many sites running the vulnerable plugin. This can lead to targeted attacks on high-value WordPress sites, especially those with additional vulnerabilities or misconfigurations. The lack of known exploits in the wild currently limits immediate risk, but the exposure of this information can accelerate future attacks once combined with other flaws.

Organizations should implement the following specific mitigations to reduce risk from CVE-2024-6554: 1) Immediately restrict direct HTTP access to composer files and directories used by the Branda plugin via web server configuration (e.g., .htaccess rules for Apache or location blocks for Nginx) to prevent unauthorized file retrieval. 2) Monitor official wpmudev communications and update the Branda plugin promptly once a security patch addressing this vulnerability is released. 3) Conduct a thorough security audit of the WordPress environment to identify and remediate any additional vulnerabilities that could be exploited in conjunction with this information disclosure. 4) Employ web application firewalls (WAFs) with rules to detect and block suspicious requests targeting composer files or unusual path disclosure attempts. 5) Limit plugin usage to trusted sources and minimize the number of installed plugins to reduce attack surface. 6) Harden WordPress installations by following best practices such as disabling directory listing, enforcing least privilege on file permissions, and regularly scanning for vulnerabilities. 7) Educate site administrators about the risks of information disclosure and the importance of timely patching and secure configuration.