CVE-2024-13641: 
WordPress vulnerability analysis and mitigation

The Return Refund and Exchange For WooCommerce plugin (CVE-2024-13641) contains a Sensitive Information Exposure vulnerability affecting all versions up to and including 4.4.5. The vulnerability was discovered and reported by Wordfence, with the initial disclosure made on February 14, 2025 (NVD CVE).

The vulnerability exists in the 'attachment' directory of the plugin, where sensitive data is stored insecurely in the /wp-content/attachment directory. The vulnerability has received a CVSS v3.1 base score of 7.5 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, while Wordfence assigned a CVSS score of 5.9 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD CVE).

The vulnerability allows unauthenticated attackers to extract sensitive data stored in the /wp-content/attachment directory, which contains file attachments for order refunds. This exposure of sensitive information could potentially compromise customer data and order-related information (NVD CVE).

A patch has been released in version 4.4.6 of the plugin. Users are advised to update to this version or later to address the vulnerability (WordPress Plugin).