Cyber Posture

CVE-2024-13622

High

Published: 18 February 2025

Published
18 February 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0017 37.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13622 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Imaginate-Solutions File Uploads Addon For Woocommerce. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 37.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-14 Public Access Protections good match
prevent

Directly protects confidentiality of sensitive information on public web systems like WordPress, preventing unauthenticated access to insecurely stored customer files in the /wp-content/uploads directory.

AC-22 Publicly Accessible Content good match
prevent

Mandates controls to designate and review publicly accessible content, ensuring sensitive customer-uploaded attachments are not exposed via the plugin's uploads directory.

AC-3 Access Enforcement good match
prevent

Enforces logical access controls to block unauthenticated attackers from extracting sensitive data stored in the publicly accessible /wp-content/uploads directory.

NVD Description

The File Uploads Addon for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.7.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely…

more

in the /wp-content/uploads directory which can contain file attachments uploaded by customers.

Deeper analysisAI

CVE-2024-13622 is a sensitive information exposure vulnerability (CWE-200) in the File Uploads Addon for WooCommerce plugin for WordPress, affecting all versions up to and including 1.7.1. The flaw occurs via the 'uploads' directory, where sensitive data is stored insecurely in the /wp-content/uploads directory, which can contain file attachments uploaded by customers.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required, earning it a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation enables attackers to extract the sensitive data from the uploads directory.

Advisories and related resources, including Wordfence threat intelligence and WordPress plugin trac entries, provide code references to affected files such as class-wau-front-end.php and woocommerce-addon-uploads.php, along with a specific changeset detailing changes in the woo-addon-uploads repository. Security practitioners should consult these for patch details and mitigation guidance.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

imaginate-solutions
file uploads addon for woocommerce
≤ 1.7.1

CVEs Like This One

CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13638Same product class: WordPress / CMS plugin
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2024-12129Same product class: WordPress / CMS plugin
CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2025-28864Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2025-1912Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin

References