CVE-2024-13617
Published: 25 March 2025
Summary
CVE-2024-13617 is a high-severity an unspecified weakness vulnerability in Osteopathic Downloadable By American Osteopathic Association. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 49.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13617 is a vulnerability in the aoa-downloadable WordPress plugin through version 0.1.0. The issue stems from the plugin's download function failing to validate a parameter, which allows unauthenticated attackers to download arbitrary files from the server.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Exploitation results in high confidentiality impact by enabling access to sensitive server files, reflected in the CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), due to the changed scope.
Mitigation details are available in the WPScan advisory at https://wpscan.com/vulnerability/8d6dd979-21ef-4d14-9c42-bbd1d7b65c53/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54507
Vulnerability details
The aoa-downloadable WordPress plugin through 0.1.0 doesn't validate a parameter in its download function, allowing unauthenticated attackers to download arbitrary files from the server
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables remote unauthenticated arbitrary file download, directly facilitating T1190 (exploitation of public-facing app for initial access) and T1005 (collection of data from local system files).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the plugin's failure to validate the download parameter, preventing arbitrary file paths from being processed.
Enforces approved authorizations to block unauthenticated access to arbitrary server files via the download function.
Requires identification and correction of the specific flaw in the aoa-downloadable plugin, such as updating beyond version 0.1.0 or removal.