PT-2024-38326 · WordPress · My Custom Css Php & Ads
Matthew Rollings
+1
·
Published
2024-08-09
·
Updated
2024-08-16
·
CVE-2024-7410
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
My Custom CSS PHP & ADS plugin for WordPress versions up to, and including, 3.3
Description
The issue is related to Full Path Disclosure, which occurs because the plugin does not prevent direct access to the "/my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php" API endpoint. This allows unauthenticated attackers to retrieve the full path of the web application, potentially aiding other attacks. However, the disclosed information is not useful on its own and requires another vulnerability to be present to cause damage to an affected website.
Recommendations
Update the plugin to the latest patched version immediately.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
My Custom Css Php & Ads