CVE-2024-6555 is an information exposure vulnerability classified under CWE-200, found in the WP Popups – WordPress Popup builder plugin developed by timersys. The vulnerability exists in all versions up to and including 2.2.0.1. The root cause is the plugin's reliance on the mobiledetect library without implementing proper access controls to prevent direct access to certain files. This misconfiguration allows unauthenticated remote attackers to retrieve the full filesystem path of the web application by directly accessing these files. Full path disclosure can reveal sensitive directory structures and server environment details, which, while not immediately harmful, can facilitate further attacks such as local file inclusion, remote code execution, or privilege escalation if other vulnerabilities are present. The CVSS v3.1 base score is 5.3, reflecting a medium severity level, with an attack vector of network (remote), no privileges required, no user interaction, and limited confidentiality impact. There are no known exploits in the wild, and no patches have been released at the time of publication. The vulnerability is primarily a reconnaissance aid for attackers rather than a direct exploit vector.

The primary impact of CVE-2024-6555 is the exposure of the full filesystem path of the affected WordPress installation. This information disclosure can assist attackers in crafting more precise and effective attacks by revealing directory structures and server configurations. While the vulnerability alone does not allow data theft, code execution, or denial of service, it lowers the barrier for exploiting other vulnerabilities that may exist on the same system. Organizations running the vulnerable plugin may face increased risk of targeted attacks, especially if other security weaknesses are present. The impact is greater in environments where multiple vulnerabilities coexist or where attackers have the capability to chain exploits. Since WordPress powers a significant portion of the web, and WP Popups is a popular plugin, the scope of affected systems is broad, potentially affecting websites worldwide. However, the lack of known exploits and the medium severity rating indicate that immediate critical damage is unlikely without additional vulnerabilities.

1. Monitor for official patches or updates from the plugin vendor and apply them promptly once available. 2. As a temporary measure, restrict direct access to the vulnerable files by configuring web server rules (e.g., using .htaccess for Apache or location blocks for Nginx) to deny HTTP requests to the mobiledetect-related files or other plugin files that expose the full path. 3. Employ a Web Application Firewall (WAF) with custom rules to block suspicious requests targeting the plugin files. 4. Conduct a comprehensive security audit of the WordPress environment to identify and remediate other vulnerabilities that could be chained with this information disclosure. 5. Limit plugin usage to only trusted and necessary plugins, and consider alternatives if the vendor does not provide timely fixes. 6. Implement least privilege principles on the web server and file system to minimize the impact of information disclosure. 7. Regularly back up website data and configurations to enable recovery in case of compromise.