CVE-2024-13638: 
WordPress vulnerability analysis and mitigation

The Order Attachments for WooCommerce plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-13638) affecting all versions up to and including 2.5.1. The vulnerability was discovered and reported by Tim Coen, with public disclosure on February 27, 2025 (Wordfence).

The vulnerability exists in the 'uploads' directory implementation, where sensitive data is stored insecurely in the /wp-content/uploads directory. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while Wordfence assessed it at 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows unauthenticated attackers to extract sensitive data stored in the /wp-content/uploads directory. This directory can contain file attachments added to orders, potentially exposing confidential customer information and order-related documents (NVD).

Users should update to a version newer than 2.5.1 when available. As this is a recently disclosed vulnerability, specific mitigation details are still emerging (NVD).