Cyber Resilience

CVE-2024-13638

Medium

Published: 28 February 2025

Published
28 February 2025
Modified
06 March 2025
KEV Added
Patch
CVSS Score v3.1 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0021 42.9th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13638 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Directsoftware Order Attachments For Woocommerce. Its CVSS base score is 5.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-13638 is a sensitive information exposure vulnerability (CWE-200) affecting the Order Attachments for WooCommerce plugin for WordPress in all versions up to and including 2.5.1. The issue stems from insecure storage of sensitive data in the /wp-content/uploads directory, where file attachments added to orders are placed without proper access controls via the plugin's 'uploads' directory handling. It has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high confidentiality impact but requiring high attack complexity.

Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction or privileges. By accessing the exposed uploads directory, they can extract sensitive data such as order-related file attachments stored insecurely, potentially leading to disclosure of customer or business information contained in those files.

Advisories reference source code locations in the plugin's Attachment.php and Ajax.php files, as well as Wordfence threat intelligence detailing the vulnerability (ID: 7e98b1ef-70dd-408d-8644-08933bca1cdd). No specific patch or mitigation details are outlined in the provided references beyond identifying the insecure storage mechanism.

EU & UK References

Vulnerability details

The Order Attachments for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.5.1 via the 'uploads' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in…

more

the /wp-content/uploads directory which can contain file attachments added to orders.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote unauthenticated file access from web-exposed uploads directory (T1190), directly facilitating collection of sensitive local system data (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13622Same product class: WordPress / CMS plugin
CVE-2024-13641Same product class: WordPress / CMS plugin
CVE-2025-22973Shared CWE-200
CVE-2025-7360Same product class: WordPress / CMS plugin
CVE-2024-13792Same product class: WordPress / CMS plugin
CVE-2024-43707Shared CWE-200
CVE-2024-13606Shared CWE-200
CVE-2024-13921Same product class: WordPress / CMS plugin
CVE-2024-13558Same product class: WordPress / CMS plugin
CVE-2024-13611Shared CWE-200

Affected Assets

directsoftware
order attachments for woocommerce
≤ 2.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-22 directly restricts access to sensitive order attachment files stored in the publicly accessible /wp-content/uploads directory, preventing unauthenticated extraction.

prevent

AC-3 enforces logical access controls on system resources like the plugin's uploads directory, blocking unauthorized access to sensitive data without privileges.

prevent

SC-14 protects information such as order attachments from unauthorized public access over the network, addressing the exposure in the web-accessible uploads directory.

References