CVE-2024-7514 is a path traversal vulnerability classified under CWE-22 found in the WordPress Comments Import & Export plugin developed by webtoffee. The flaw arises from improper validation of file paths during the comments import process, allowing authenticated users with Author-level or higher privileges to manipulate file paths and read arbitrary files on the server. This vulnerability affects all versions up to and including 2.3.7. The attack vector is remote network access with low attack complexity and no user interaction required beyond authentication. The vulnerability enables disclosure of sensitive server-side files, potentially including configuration files, database credentials, or other sensitive data stored on the web server. Partial remediation was introduced in version 2.3.8, with a complete fix in 2.3.9. The CVSS v3.1 base score is 6.5, indicating a medium severity primarily due to the high confidentiality impact (C:H), no impact on integrity or availability, and the requirement for privileges (PR:L). No known exploits in the wild have been reported yet, but the vulnerability poses a significant risk to WordPress sites using the affected plugin versions, especially those with multiple authors or contributors. The vulnerability highlights the importance of strict input validation and secure file handling in web applications and plugins.

The primary impact of CVE-2024-7514 is unauthorized disclosure of sensitive information stored on the web server hosting the vulnerable WordPress plugin. Attackers with Author-level access can read arbitrary files, which may include critical configuration files, database credentials, private keys, or other sensitive data. This can lead to further compromise, such as privilege escalation, data breaches, or lateral movement within the network. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can have severe consequences for organizations, including loss of customer trust, regulatory penalties, and operational disruption. The risk is amplified in environments where multiple users have Author-level or higher privileges, or where the server hosts multiple applications or sensitive data. Since WordPress is widely used globally, and the plugin is popular among site administrators for comment management, the potential attack surface is significant. Organizations running outdated versions of this plugin are at increased risk until they apply the patch or upgrade to a fixed version.

To mitigate CVE-2024-7514, organizations should immediately upgrade the WordPress Comments Import & Export plugin to version 2.3.9 or later, where the vulnerability is fully fixed. If upgrading is not immediately possible, restrict Author-level and higher privileges to trusted users only, minimizing the risk of exploitation. Implement strict access controls and monitor user activities for suspicious file access patterns. Additionally, web application firewalls (WAFs) can be configured to detect and block path traversal attempts targeting the import functionality. Regularly audit installed plugins and remove or disable any that are unnecessary or outdated. Employ file system permissions to limit the web server’s access to sensitive files, reducing the impact of arbitrary file reads. Finally, maintain comprehensive logging and alerting to detect potential exploitation attempts early.