CVE-2024-6557: 
WordPress vulnerability analysis and mitigation

The SchedulePress WordPress plugin (Auto Post & Publish, Auto Social Share, Schedule Posts with Editorial Calendar & Missed Schedule Post Publisher) is vulnerable to Full Path Disclosure in versions up to and including 5.1.3. This vulnerability was assigned CVE-2024-6557 and was disclosed on July 16, 2024 (NVD).

The vulnerability stems from the plugin utilizing the wpdeveloper library and leaving demo files in place with display_errors enabled. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (Wordfence).

The vulnerability allows unauthenticated attackers to retrieve the full path of the web application. While the exposed information is not directly harmful on its own, it can be leveraged to aid other attacks when combined with additional vulnerabilities (NVD).

Users should update to a version newer than 5.1.3 of the SchedulePress plugin. If immediate updating is not possible, consider removing or securing access to the demo files in the wpdeveloper library, or disabling the display_errors setting (NVD).