CVE-2024-13791

MEDIUM

Bitapps Bit Assist < 1.5.3 - Path Traversal

Title source: rule

Description

Bit Assist plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.2 via the downloadResponseFile() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

References (4)

[Product] https://github.com/WordPressBugBounty/plugins-bit-assist/blob/main/bit-assist/backend/app/HTTP/Controllers/DownloadController.php

View Writeup ZIP pw:eip

[Patch] https://plugins.trac.wordpress.org/changeset/3239816/#file3

[Product, Release Notes] https://wordpress.org/plugins/bit-assist/#developers

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/17fd14e7-503a-49e4-9344-5f8d51801eb3?source=cve

Scores

CVSS v3 4.9

EPSS 0.0013

EPSS Percentile 31.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-22 CWE-23

Status published

Products (2)

bitapps/bit_assist < 1.5.3

bitpressadmin/Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist < 1.5.2

Published Feb 14, 2025

Tracked Since Feb 18, 2026