CVE-2024-7410: 
WordPress vulnerability analysis and mitigation

The My Custom CSS PHP & ADS plugin for WordPress contains a Full Path Disclosure vulnerability (CVE-2024-7410) affecting all versions up to and including 3.3. The vulnerability was discovered and disclosed in August 2024. The issue stems from the plugin's failure to prevent direct access to the /my-custom-css/vendor/mobiledetect/mobiledetectlib/export/exportToJSON.php file, which can expose the full path of the web application (NVD).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical issue lies in the direct accessibility of a specific PHP file that reveals the full system path information (NVD).

The vulnerability allows unauthenticated attackers to retrieve the full path of the web application. While this information alone is not directly harmful, it can be leveraged to aid other attacks. The exposed path information could be used as a stepping stone for more sophisticated attacks when combined with other vulnerabilities (NVD).

Website administrators running the My Custom CSS PHP & ADS plugin should update to a version newer than 3.3 if available. If an update is not available, consider implementing additional security measures to prevent direct access to plugin files or temporarily disabling the plugin until a fix is released (NVD).