CVE-2024-13539: 
WordPress vulnerability analysis and mitigation

The AForms Eats plugin for WordPress (CVE-2024-13539) contains a Full Path Disclosure vulnerability affecting all versions up to and including 1.3.1. The vulnerability was discovered and disclosed on February 11, 2025 (NVD).

The vulnerability exists due to the /vendor/aura/payload-interface/phpunit.php file being publicly accessible and displaying error messages. This implementation has been assigned a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-209 (Generation of Error Message Containing Sensitive Information) (Wordfence).

The vulnerability allows unauthenticated attackers to retrieve the full path of the web application. While the exposed information is not directly harmful on its own, it can potentially be used to aid other attacks. The impact is considered limited as it requires another vulnerability to be present for causing actual damage to an affected website (NVD).

Website administrators running AForms Eats plugin should upgrade to version 1.3.2 or later which contains the fix for this vulnerability (NVD).