WordPress Plugin Vulnerabilities

1003 Mortgage Application <= 1.87 - Unauthenticated Full Path Disclosure

Description

The 1003 Mortgage Application plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.87. This is due the /inc/class/fnm/export.php file being publicly accessible with error logging enabled. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Affects Plugins

Plugin icon
1003-mortgage-application
No known fix

References

CVE
CVE-2024-13536
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cfbc90b9-af91-49ac-ad3d-a37c17e8ba6d

Classification

Type
FPD
OWASP top 10
A6: Security Misconfiguration
CWE
CWE-209
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
stealthcopter
Verified
No
WPVDB ID
14f9cd72-7f2c-4fe8-9e79-f350d52577f1

Timeline

Publicly Published
2025-01-20 (about 1 year ago)
Added
2025-01-20 (about 1 year ago)
Last Updated
2025-01-21 (about 1 year ago)

Other

Published
Title
Published
2025-12-15
Title
Fancy Product Designer | WooCommerce WordPress < 6.5.0 - Unauthenticated Full Path Disclosure via 'pdf' Parameter
Published
2012-12-06
Title
Simple Gmail Login < 1.1.4 - FPD
Published
2015-02-08
Title
NextGEN Gallery 1.9.11 - Full Path Disclosure
Published
2014-08-01
Title
Tera Charts 0.1 - Unauthenticated Remote Path Traversal File Disclosure
Published
2025-02-20
Title
C9 Blocks <= 1.7.7 - Unauthenticated Full Path Disclosure