Cyber Resilience

CVE-2024-13617

HighPublic PoC

Published: 25 March 2025

Published
25 March 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0026 50.2th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13617 is a high-severity an unspecified weakness vulnerability in Osteopathic Downloadable By American Osteopathic Association. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13617 is a vulnerability in the aoa-downloadable WordPress plugin through version 0.1.0. The issue stems from the plugin's download function failing to validate a parameter, which allows unauthenticated attackers to download arbitrary files from the server.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation results in high confidentiality impact by enabling access to sensitive server files, reflected in the CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), due to the changed scope.

Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/8d6dd979-21ef-4d14-9c42-bbd1d7b65c53/.

EU & UK References

Vulnerability details

The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly facilitating T1190 (exploitation of public-facing app for initial access) and T1005 (collection of data from local system files).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13618Same product: Osteopathic Downloadable By American Osteopathic Association

Affected Assets

osteopathic
downloadable by american osteopathic association
≤ 0.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the plugin's failure to validate the download parameter, preventing arbitrary file paths from being processed.

prevent

Enforces approved authorizations to block unauthenticated access to arbitrary server files via the download function.

prevent

Requires identification and correction of the specific flaw in the aoa-downloadable plugin, such as updating beyond version 0.1.0 or removal.

References