CVE-2024-13539
📋 TL;DR
The AForms Eats WordPress plugin discloses full server path information through a publicly accessible vendor file. This information disclosure vulnerability affects all WordPress sites using AForms Eats plugin versions 1.3.1 and earlier. While not directly damaging, the exposed path information can assist attackers in targeting other vulnerabilities.
💻 Affected Systems
- AForms Eats WordPress Plugin
📦 What is this software?
Aforms Eats by Vividcolorsjp
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path information with other vulnerabilities (like file inclusion or directory traversal) to achieve remote code execution or sensitive data exposure.
Likely Case
Attackers gather reconnaissance data about server structure to plan more sophisticated attacks against the WordPress installation.
If Mitigated
Path information is exposed but cannot be leveraged due to proper security controls and lack of other vulnerabilities.
🎯 Exploit Status
Exploitation requires simple HTTP requests to the vulnerable file path. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.3.1
Vendor Advisory: https://plugins.trac.wordpress.org/browser/aforms-eats/trunk/vendor/aura/payload-interface/phpunit.php
Restart Required: No
Instructions:
1. Update AForms Eats plugin to latest version via WordPress admin panel. 2. Verify the /vendor/aura/payload-interface/phpunit.php file is no longer publicly accessible.
🔧 Temporary Workarounds
Block Access to Vulnerable File
allUse web server configuration to block public access to the vulnerable PHP file.
# For Apache: Add to .htaccess
<Files "phpunit.php">
Require all denied
</Files>
# For Nginx: Add to server block
location ~* /vendor/aura/payload-interface/phpunit\.php$ {
deny all;
return 403;
}
Remove Vulnerable File
linuxDelete the vulnerable file from the plugin directory.
rm -f /path/to/wordpress/wp-content/plugins/aforms-eats/vendor/aura/payload-interface/phpunit.php
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to /vendor/aura/payload-interface/phpunit.php
- Monitor access logs for requests to the vulnerable file path and investigate any hits
🔍 How to Verify
Check if Vulnerable:
Visit https://your-site.com/wp-content/plugins/aforms-eats/vendor/aura/payload-interface/phpunit.php in a browser. If you see PHP error output or path information, the site is vulnerable.Check Version:
Check WordPress admin panel > Plugins > AForms Eats, or examine wp-content/plugins/aforms-eats/readme.txt file version header.Verify Fix Applied:
Attempt to access the vulnerable URL after patching. You should receive a 403/404 error or blank page instead of path disclosure.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-content/plugins/aforms-eats/vendor/aura/payload-interface/phpunit.php
- GET requests to phpunit.php file with successful responses
Network Indicators:
- HTTP traffic to the vulnerable file path returning PHP error content
SIEM Query:
source="web_access_logs" AND uri_path="/wp-content/plugins/aforms-eats/vendor/aura/payload-interface/phpunit.php" AND status=200🔗 References
- https://plugins.trac.wordpress.org/browser/aforms-eats/trunk/vendor/aura/payload-interface/phpunit.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3232963%40aforms-eats&new=3232963%40aforms-eats&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5e1950c7-cc7c-48cf-974e-f691ef61d6be?source=cve
