CVE-2024-7410 is an information exposure vulnerability classified under CWE-200, found in the esthertyler My Custom CSS PHP & ADS plugin for WordPress. The vulnerability arises because the plugin fails to restrict direct access to the file /my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php. When accessed, this PHP file reveals the full filesystem path of the web server hosting the WordPress site. This disclosure occurs without requiring any authentication or user interaction, making it trivially exploitable remotely. The full path disclosure can provide attackers with valuable information about the server environment, directory structure, and installation paths, which can be leveraged to facilitate more targeted attacks such as local file inclusion, remote code execution, or privilege escalation if other vulnerabilities are present. However, the disclosed information alone does not allow direct compromise of the system. The vulnerability affects all versions of the plugin up to and including version 3.3. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the low impact on confidentiality and no impact on integrity or availability. No patches or fixes have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability was publicly disclosed on August 9, 2024.

The primary impact of this vulnerability is the exposure of sensitive server information, specifically the full filesystem path of the WordPress installation. While this does not directly compromise data confidentiality, integrity, or availability, it lowers the attacker's barrier to launching more severe attacks by providing critical environmental details. Attackers can use this information to fine-tune exploits targeting other vulnerabilities such as file inclusion, directory traversal, or code injection. For organizations, this means an increased risk of chained attacks that could lead to data breaches, website defacement, or service disruption if other weaknesses exist. The vulnerability affects all websites using the vulnerable plugin version, potentially exposing thousands of WordPress sites worldwide. However, the lack of direct exploitability and the absence of known active exploits reduce the immediate risk. Nonetheless, organizations should treat this as a moderate threat that could facilitate more damaging attacks if combined with other vulnerabilities.

To mitigate this vulnerability, organizations should implement the following specific measures: 1) Immediately restrict direct access to the vulnerable PHP file (/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php) by configuring web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny all external requests to this path. 2) If possible, remove or disable the vulnerable plugin until a patch is released. 3) Monitor web server logs for any attempts to access the vulnerable file or other suspicious activity indicating reconnaissance. 4) Employ a Web Application Firewall (WAF) with custom rules to block requests targeting this file or similar sensitive plugin paths. 5) Keep WordPress core, themes, and plugins updated regularly and subscribe to security advisories for timely patching. 6) Conduct a thorough security audit to identify and remediate other vulnerabilities that could be chained with this information disclosure. 7) Limit file and directory permissions on the server to the minimum necessary to reduce information leakage. These targeted actions go beyond generic advice and directly address the exposure vector.