CVE-2024-6574: 
WordPress vulnerability analysis and mitigation

The Laposta plugin for WordPress contains a Full Path Disclosure vulnerability (CVE-2024-6574) affecting all versions up to and including 1.12. The vulnerability was discovered and disclosed on July 13, 2024. The issue exists because the plugin does not prevent direct access to several test files, allowing unauthenticated attackers to retrieve the full path of the web application (NVD).

The vulnerability stems from insufficient access controls on test files within the plugin. When accessed directly, these files expose the complete server path of the web application. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

While the exposed information is not directly harmful on its own, the full path disclosure can be leveraged by attackers to aid in other attacks. The vulnerability primarily impacts the confidentiality of the system by revealing sensitive path information that could be used to facilitate more severe exploits (NVD).

As the plugin is no longer being maintained and has been closed for downloads, the primary mitigation strategy would be to remove the plugin from WordPress installations. No official patches are available since the plugin has been discontinued (NVD).