CVE-2024-13613 – The Wise Chat WordPress plugin exposes sensitiv... (How to Fix)

📋 TL;DR

The Wise Chat WordPress plugin exposes sensitive information through insecure file storage in the uploads directory. Unauthenticated attackers can access file attachments from chat messages stored in /wp-content/uploads. All WordPress sites using Wise Chat versions up to 3.3.3 are affected.

💻 Affected Systems

Products:

Wise Chat WordPress Plugin

Versions: All versions up to and including 3.3.3

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with Wise Chat plugin enabled. The vulnerability is in how the plugin stores and serves uploaded files.

📦 What is this software?

Wise Chat by Kainex

View all CVEs affecting Wise Chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all file attachments shared through chat, potentially including sensitive documents, personal information, or credentials stored in uploaded files.

🟠

Likely Case

Unauthorized access to chat file attachments containing personal data, business documents, or other sensitive information shared through the chat system.

🟢

If Mitigated

Limited exposure if file permissions are properly configured or if the uploads directory is protected by additional access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web access to the uploads directory path. No authentication or special tools needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 3.3.3 (partial fix) and later versions

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3288680/

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Wise Chat plugin
4. Click 'Update Now' if update available
5. If no update available, download latest version from WordPress repository
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Restrict uploads directory access

linux

Add .htaccess rules to block direct access to the Wise Chat uploads directory

echo 'Order Deny,Allow
Deny from all' > /path/to/wp-content/uploads/wise-chat/.htaccess

Disable file attachments

all

Temporarily disable file upload functionality in Wise Chat settings

🧯 If You Can't Patch

Disable or uninstall the Wise Chat plugin immediately
Implement web application firewall rules to block access to /wp-content/uploads/wise-chat/ paths

🔍 How to Verify

Check if Vulnerable:

Check if you can access files at /wp-content/uploads/wise-chat/ without authentication. Try accessing known uploaded chat files.

Check Version:

wp plugin list --name=wise-chat --field=version (if WP-CLI installed) or check WordPress admin plugins page

Verify Fix Applied:

After updating, verify that direct access to /wp-content/uploads/wise-chat/ returns 403 Forbidden or redirects properly.

📡 Detection & Monitoring

Log Indicators:

Multiple 200 OK responses to /wp-content/uploads/wise-chat/ paths from unauthenticated users
Unusual file access patterns to uploads directory

Network Indicators:

HTTP GET requests to /wp-content/uploads/wise-chat/* from external IPs
File downloads from uploads directory without preceding authentication

SIEM Query:

source="web_access_logs" AND uri_path="/wp-content/uploads/wise-chat/*" AND response_code=200 AND NOT user_agent="bot|crawler|scanner"

📊 Metadata

CVE ID: CVE-2024-13613

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

EPSS Score: 0.17% exploit probability (38.2th percentile)

Published: May 17, 2025

Last Updated: June 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13613, you might also want to check these: