CVE-2024-13600: 
WordPress vulnerability analysis and mitigation

The Majestic Support WordPress plugin (versions up to 1.0.5) contains a Sensitive Information Exposure vulnerability (CVE-2024-13600). The vulnerability was discovered and reported by Wordfence, with the initial disclosure on February 12, 2025. This security flaw affects the plugin's 'majesticsupportdata' directory functionality (Wordfence Advisory).

The vulnerability exists in the handling of file attachments within the /wp-content/uploads/majesticsupportdata directory. The issue stems from insecure storage of sensitive data in this directory, which can be accessed by unauthenticated users. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact with network-based attack vector requiring no privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to access and extract sensitive data stored in the support tickets' file attachments. This could lead to exposure of confidential information submitted through the support system (Wordfence Advisory).

A patch has been released to address this vulnerability. Users are advised to update to version 1.0.6 or later of the Majestic Support plugin (WordPress Patch).