Branda – White Label WordPress, Custom Login Page Customizer < 3.4.19 – Unauthenticated Full Path Disclosure | CVE 2024-6554 | Plugin Vulnerabilities

Description

The Branda – White Label WordPress, Custom Login Page Customizer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 3.4.18. This is due the plugin utilizing composer without preventing direct access to the files. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.

Affects Plugins

branda-white-labeling

Fixed in 3.4.19

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0a79eb25-a7d1-4102-97e6-8fa8db9ed03e

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

2391b6d1-54c9-42ee-8b07-9b3c7b62aa92

Timeline

Publicly Published

2024-07-10 (about 1 year ago)

Added

2024-07-10 (about 1 year ago)

Last Updated

2024-07-11 (about 1 year ago)

Other

Published

Title

Published

2026-01-08

Title

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot < 2.1.16 - Unauthenticated Sensitive Information Exposure

Published

2024-07-26

Title

Admin Post Navigation <= 2.1 - Unauthenticated Full Path Disclosure

Published

2025-01-06

Title

Member Access <= 1.1.6 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

Published

2025-01-17

Title

Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.9.2 - Information Exposure

Published

2024-04-05

Title

Premium Addons for Elementor < 4.10.23 - Authenticated (Contributor+) Sensitive Information Exposure