CVE-2024-33575

MEDIUM EXPLOITED NUCLEI

User Meta <= 3.0 - Exposure of Sensitive Information to an Unauthorized Actor

Title source: llm

Exploitation Summary

CVE-2024-33575 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. The PoCs are well-structured and include HTTP requests to demonstrate the vulnerabilities.

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in User Meta user-meta.This issue affects User Meta: from n/a through 3.0.

Exploits (1)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2024/CVE-2024-33575.md

View Code ZIP pw:eip

This repository contains functional exploit code for multiple CVEs, including remote file inclusion, path traversal, and unauthorized file deletion vulnerabilities. The PoCs are well-structured and include HTTP requests to demonstrate the vulnerabilities.

Classification

Working Poc 95%

Attack Type

Other

Complexity

Trivial

Reliability

Reliable

Target: Various (WordPress plugins, QNAP Photo Station, IBM Data Risk Manager, Wipro Holmes Orchestrator)

No auth needed

Prerequisites: Network access to the target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

User Meta WP Plugin < 3.1 - Sensitive Information Exposure

MEDIUMby s4e-io

Shodan: http.html:/wp-content/plugins/user-meta/

FOFA: body=/wp-content/plugins/user-meta/

References (1)

Core 1

Core References

Third Party Advisory vdb-entry

https://patchstack.com/database/vulnerability/user-meta/wordpress-user-meta-plugin-3-0-sensitive-data-exposure-vulnerability?_s_id=cve

Scores

CVSS v3 5.3

EPSS 0.0112

EPSS Percentile 61.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2025-03-11

CWE

CWE-200

Status published

Products (1)

User Meta/User Meta < 3.0

Published Apr 29, 2024

Tracked Since Feb 18, 2026