CVE-2024-7413
📋 TL;DR
The Obfuscate Email WordPress plugin discloses the full server path to unauthenticated attackers in all versions up to 3.8.1. This occurs because the plugin's bootstrap.php file is directly accessible with display_errors enabled. While the path disclosure alone doesn't cause damage, it provides reconnaissance information that can aid in exploiting other vulnerabilities.
💻 Affected Systems
- Obfuscate Email WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers combine path disclosure with another vulnerability (like file inclusion or directory traversal) to achieve remote code execution or sensitive data exposure.
Likely Case
Attackers gather reconnaissance information about server structure to plan more sophisticated attacks against the WordPress installation.
If Mitigated
Path disclosure provides limited value without additional vulnerabilities present in the system.
🎯 Exploit Status
Exploitation requires only HTTP GET requests to the vulnerable file path.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.8.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/obfuscate-email/trunk/phpunit/bootstrap.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Obfuscate Email plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.8.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily deactivate the Obfuscate Email plugin until patched.
Restrict File Access
linuxAdd .htaccess rules to block direct access to bootstrap.php file.
<Files "bootstrap.php">
Order Allow,Deny
Deny from all
</Files>
🧯 If You Can't Patch
- Remove or disable the Obfuscate Email plugin entirely
- Implement web application firewall rules to block requests to /wp-content/plugins/obfuscate-email/phpunit/bootstrap.php
🔍 How to Verify
Check if Vulnerable:
Access https://[your-domain]/wp-content/plugins/obfuscate-email/phpunit/bootstrap.php - if it returns server path information, you're vulnerable.Check Version:
Check WordPress admin panel → Plugins → Obfuscate Email, or examine /wp-content/plugins/obfuscate-email/readme.txt version header.Verify Fix Applied:
After updating, attempt to access the bootstrap.php file again - it should return a 403/404 error or blank page instead of path disclosure.📡 Detection & Monitoring
Log Indicators:
- HTTP GET requests to /wp-content/plugins/obfuscate-email/phpunit/bootstrap.php
- Multiple 200 responses to the bootstrap.php file from single IPs
Network Indicators:
- Unusual scanning patterns targeting plugin directories
- Reconnaissance traffic to WordPress plugin paths
SIEM Query:
source="web_logs" AND uri="/wp-content/plugins/obfuscate-email/phpunit/bootstrap.php" AND response=200