CVE-2024-13537 – The C9 Blocks WordPress plugin contains a publi... (How to Fix)

Q: What is the severity of CVE-2024-13537?

CVE-2024-13537 has a CVSS score of 5.3 (MEDIUM). The C9 Blocks WordPress plugin contains a publicly accessible file (composer-setup.php) that discloses the full server path when accessed. This affects all WordPress sites using C9 Blocks version 1.7.7 or earlier. While the path disclosure alone doesn't cause direct damage, it can help attackers plan further attacks if other vulnerabilities exist.

📋 TL;DR

The C9 Blocks WordPress plugin contains a publicly accessible file (composer-setup.php) that discloses the full server path when accessed. This affects all WordPress sites using C9 Blocks version 1.7.7 or earlier. While the path disclosure alone doesn't cause direct damage, it can help attackers plan further attacks if other vulnerabilities exist.

💻 Affected Systems

Products:

C9 Blocks WordPress Plugin

Versions: All versions up to and including 1.7.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with C9 Blocks plugin installed and activated.

📦 What is this software?

C9 Blocks by Covertnine

View all CVEs affecting C9 Blocks →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers combine path disclosure with other vulnerabilities (like file inclusion or directory traversal) to execute arbitrary code, read sensitive files, or compromise the WordPress installation.

🟠

Likely Case

Attackers gather reconnaissance information about server structure to aid in targeted attacks, increasing success probability for subsequent exploitation attempts.

🟢

If Mitigated

Path disclosure provides limited value without additional vulnerabilities, causing minimal impact with proper security controls and monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires simple HTTP GET request to vulnerable file path. Often used in reconnaissance phases of attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7.8 or later

Vendor Advisory: https://plugins.trac.wordpress.org/browser/c9-blocks/trunk/composer-setup.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find C9 Blocks plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.

🔧 Temporary Workarounds

Remove vulnerable file

linux

Delete or restrict access to composer-setup.php file

rm /path/to/wordpress/wp-content/plugins/c9-blocks/composer-setup.php

Block access via .htaccess

linux

Prevent public access to composer-setup.php using Apache rewrite rules

<Files "composer-setup.php">
  Order Allow,Deny
  Deny from all
</Files>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to composer-setup.php
Monitor and alert on access attempts to composer-setup.php file

🔍 How to Verify

Check if Vulnerable:

Access https://yoursite.com/wp-content/plugins/c9-blocks/composer-setup.php - if it returns server path information, you're vulnerable.

Check Version:

Check WordPress admin panel under Plugins > Installed Plugins for C9 Blocks version

Verify Fix Applied:

After update, attempt to access the same URL - should return 404 error or blank page instead of path disclosure.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /wp-content/plugins/c9-blocks/composer-setup.php
404 errors for composer-setup.php after patching

Network Indicators:

Unusual scanning patterns targeting plugin directories
Repeated requests to composer-setup.php from single IP

SIEM Query:

source="web_logs" AND uri="/wp-content/plugins/c9-blocks/composer-setup.php"

📊 Metadata

CVE ID: CVE-2024-13537

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-209

EPSS Score: 0.37% exploit probability (58.5th percentile)

Published: February 21, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13537, you might also want to check these: