Volerion logoVolerion
Volerion logoVolerion

Actionwear Products Sync WordPress Plugin Full Path Disclosure Vulnerability

Vulnerability

A full path disclosure vulnerability has been identified in the Actionwear Products Sync plugin for WordPress, affecting all versions through 2.3.2. The issue arises because the composer-setup.php file is publicly accessible with 'display_errors' enabled. This configuration allows unauthenticated attackers to retrieve the full path of the web application, potentially aiding in the exploitation of other vulnerabilities. While the disclosed information is not harmful on its own, it could be used in conjunction with another vulnerability to compromise an affected website.

Impact

Exploitation of this vulnerability could lead to full path disclosure, allowing attackers to obtain the complete file system path of the web application. This information could be used to facilitate further attacks, particularly if other vulnerabilities are present.

Remediation

Users are advised to update the Actionwear Products Sync plugin to version 2.3.3 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
1.0
impact
0.6
exploitability
8.2
remediation
7.7
relevance
0.0
threat
3.2
urgency
2.9
incentive
5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.