CVE-2024-6567: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in motovnet Ebook Store
The Ebook Store plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.8001. This is due to the plugin utilizing fpdi-protection and not preventing direct access to test files that have display_errors set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. The plugin vendor removed the test files, however, did not increment the version meaning this is inadequately patched in the same version that is affected.
AI Analysis
Technical Summary
CVE-2024-6567 is a Full Path Disclosure vulnerability in the motovnet Ebook Store WordPress plugin (versions up to 5.8001). The issue arises from the presence of test files with PHP error display enabled (display_errors=true) that are accessible without authentication. This exposure reveals the full filesystem path of the web application, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Although the vendor removed the test files, the version number was not incremented, indicating the patch is inadequately applied in the same version. The disclosed path information can facilitate further attacks if other vulnerabilities exist.
Potential Impact
The vulnerability exposes the full filesystem path of the web application to unauthenticated attackers, which is sensitive information that can aid in further exploitation. However, the information disclosed does not directly compromise confidentiality, integrity, or availability by itself. No known exploits are reported in the wild. The medium CVSS score reflects limited impact without additional vulnerabilities.
Mitigation Recommendations
Patch status is not yet confirmed as the vendor removed the test files but did not release a new version, resulting in an inadequately patched state. Users should verify with the vendor for an official fixed version or apply manual mitigations such as removing or restricting access to test files with display_errors enabled. Until an official fix is released, restricting access to these files or disabling error display in production environments is recommended.
CVE-2024-6567: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in motovnet Ebook Store
Description
The Ebook Store plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 5.8001. This is due to the plugin utilizing fpdi-protection and not preventing direct access to test files that have display_errors set to true. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. The plugin vendor removed the test files, however, did not increment the version meaning this is inadequately patched in the same version that is affected.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-6567 is a Full Path Disclosure vulnerability in the motovnet Ebook Store WordPress plugin (versions up to 5.8001). The issue arises from the presence of test files with PHP error display enabled (display_errors=true) that are accessible without authentication. This exposure reveals the full filesystem path of the web application, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Although the vendor removed the test files, the version number was not incremented, indicating the patch is inadequately applied in the same version. The disclosed path information can facilitate further attacks if other vulnerabilities exist.
Potential Impact
The vulnerability exposes the full filesystem path of the web application to unauthenticated attackers, which is sensitive information that can aid in further exploitation. However, the information disclosed does not directly compromise confidentiality, integrity, or availability by itself. No known exploits are reported in the wild. The medium CVSS score reflects limited impact without additional vulnerabilities.
Mitigation Recommendations
Patch status is not yet confirmed as the vendor removed the test files but did not release a new version, resulting in an inadequately patched state. Users should verify with the vendor for an official fixed version or apply manual mitigations such as removing or restricting access to test files with display_errors enabled. Until an official fix is released, restricting access to these files or disabling error display in production environments is recommended.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-07-08T15:26:52.395Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c06b7ef31ef0b55f23d
Added to database: 2/25/2026, 9:39:18 PM
Last enriched: 4/9/2026, 8:10:52 AM
Last updated: 4/12/2026, 7:57:55 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.