CVE-2024-13535: 
WordPress vulnerability analysis and mitigation

The Actionwear products sync plugin for WordPress contains a Full Path Disclosure vulnerability (CVE-2024-13535) affecting all versions up to and including 2.3.0. The vulnerability was discovered and disclosed on February 18, 2025, impacting WordPress installations using the affected plugin versions (NVD CVE).

The vulnerability stems from the composer-setup.php file being publicly accessible with 'display_errors' set to true. This configuration issue allows unauthenticated attackers to retrieve the full path of the web application. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges (NVD CVE).

The vulnerability allows attackers to obtain the full path of the web application. However, the exposed information alone is not directly harmful but could potentially be used to aid other attacks. The impact is considered limited as it requires another vulnerability to be present for any significant damage to occur (NVD CVE).

Website administrators running the Actionwear products sync plugin should update to a version newer than 2.3.0 to address this vulnerability (NVD CVE).