CVE-2024-54366: 
WordPress vulnerability analysis and mitigation

The Vimeography WordPress plugin versions up to 2.4.4 contains a Full Path Disclosure (FPD) vulnerability, identified as CVE-2024-54366. This security issue was discovered by Fariq Fadillah Gusti Insani and publicly disclosed on December 11, 2024. The vulnerability affects the Vimeography: Vimeo Video Gallery WordPress Plugin and allows unauthenticated attackers to access sensitive information (Patchstack, WPScan).

The vulnerability is classified as a Generation of Error Message Containing Sensitive Information (CWE-209) with a CVSS v3.1 score of 5.3 (Medium). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with low confidentiality impact (C:L) and no impact on integrity (I:N) or availability (A:N) (Patchstack).

This vulnerability could allow malicious actors to discover the full path of folders or files within the system. Such information disclosure could potentially be leveraged to exploit other weaknesses in the system. The vulnerability falls under the OWASP Top 10 category A3: Sensitive Data Exposure (Patchstack, WPScan).

The vulnerability has been fixed in version 2.4.5 of the Vimeography plugin. Users are advised to update to version 2.4.5 or later to remediate this security issue. Patchstack users have the option to enable auto-updates for vulnerable plugins (Patchstack).