Cyber Posture

CVE-2024-13638

Medium

Published: 28 February 2025

Published
28 February 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 42.6th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13638 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Directsoftware Order Attachments For Woocommerce. Its CVSS base score is 5.9 (Medium).

Operationally, ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match
prevent

AC-22 directly restricts access to sensitive order attachment files stored in the publicly accessible /wp-content/uploads directory, preventing unauthenticated extraction.

AC-3 Access Enforcement good match
prevent

AC-3 enforces logical access controls on system resources like the plugin's uploads directory, blocking unauthorized access to sensitive data without privileges.

SC-14 Public Access Protections good match
prevent

SC-14 protects information such as order attachments from unauthorized public access over the network, addressing the exposure in the web-accessible uploads directory.

NVD Description

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in…

more

the /wp-content/uploads directory which can contain file attachments added to orders.

Deeper analysisAI

CVE-2024-13638 is a sensitive information exposure vulnerability (CWE-200) affecting the Order Attachments for WooCommerce plugin for WordPress in all versions up to and including 2.5.1. The issue stems from insecure storage of sensitive data in the /wp-content/uploads directory, where file attachments added to orders are placed without proper access controls via the plugin's 'uploads' directory handling. It has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but requiring high attack complexity.

Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction or privileges. By accessing the exposed uploads directory, they can extract sensitive data such as order-related file attachments stored insecurely, potentially leading to disclosure of customer or business information contained in those files.

Advisories reference source code locations in the plugin's Attachment.php and Ajax.php files, as well as Wordfence threat intelligence detailing the vulnerability (ID: 7e98b1ef-70dd-408d-8644-08933bca1cdd). No specific patch or mitigation details are outlined in the provided references beyond identifying the insecure storage mechanism.

Details

CWE(s)
CWE-200NVD-CWE-noinfo

Affected Products

directsoftware
order attachments for woocommerce
≤ 2.5.1

CVEs Like This One

CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2024-13622Same product class: WordPress / CMS plugin
CVE-2024-13359Same product class: WordPress / CMS plugin
CVE-2024-12129Same product class: WordPress / CMS plugin
CVE-2024-8425Same product class: WordPress / CMS plugin
CVE-2025-28864Same product class: WordPress / CMS plugin
CVE-2025-2328Same product class: WordPress / CMS plugin
CVE-2025-1912Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-1441Same product class: WordPress / CMS plugin

References