The Laposta plugin for WordPress suffers from a Full Path Disclosure vulnerability identified as CVE-2024-6574, classified under CWE-200 (Information Exposure). This vulnerability exists in all versions up to and including 1.12 due to the plugin failing to restrict direct access to several test files embedded within its package. When an unauthenticated attacker requests these test files, the server responds with error messages or content that reveals the full filesystem path of the web application. Although this information disclosure does not directly compromise confidentiality, integrity, or availability, it can provide valuable reconnaissance data to attackers. Knowing the exact file system structure can aid in crafting targeted attacks, such as local file inclusion (LFI), remote code execution (RCE), or privilege escalation, especially if other vulnerabilities exist on the site. The plugin is no longer maintained and has been removed from official download sources, which means no patches or updates will be provided, leaving existing installations vulnerable indefinitely. The vulnerability has a CVSS v3.1 base score of 5.3, reflecting its moderate impact and ease of exploitation (network attack vector, no privileges or user interaction required). No known exploits have been reported in the wild to date. The lack of patch availability and ongoing use of the plugin in some environments pose a persistent security risk.

The primary impact of this vulnerability is information disclosure that can facilitate further exploitation. Attackers gaining knowledge of the full filesystem path can better understand the server environment, increasing the likelihood of successful attacks leveraging other vulnerabilities. While the vulnerability alone does not allow direct compromise, it lowers the barrier for attackers to perform more damaging actions such as code injection, file inclusion, or privilege escalation. Organizations running the Laposta plugin on WordPress sites may face increased risk of targeted attacks, especially if other security weaknesses exist. Since the plugin is unmaintained, affected sites cannot rely on vendor patches, increasing exposure duration. This can lead to data breaches, website defacement, or service disruption if chained with other exploits. The medium severity rating reflects moderate confidentiality impact without direct integrity or availability effects.

1. Immediately identify and inventory all WordPress sites using the Laposta plugin, especially versions up to 1.12. 2. Remove the Laposta plugin entirely from all affected sites, as it is no longer maintained and no patches are available. 3. If removal is not immediately possible, restrict access to the plugin’s test files by configuring web server rules (e.g., .htaccess or nginx config) to deny all external requests to these files. 4. Harden WordPress installations by disabling directory listing and ensuring error messages do not leak sensitive path information. 5. Conduct a thorough security audit of affected sites to identify and remediate any additional vulnerabilities that could be exploited in combination with this information disclosure. 6. Monitor web server logs for suspicious requests targeting test files or unusual access patterns. 7. Educate site administrators about the risks of using unmaintained plugins and the importance of timely updates or replacements. 8. Consider deploying Web Application Firewalls (WAFs) with rules to block attempts to access known test files or paths related to Laposta. 9. Regularly back up website data and configurations to enable rapid recovery if compromise occurs.