CVE-2024-11642

CVE-2024-11642 is a local file inclusion (LFI) vulnerability, classified under CWE-22 (path traversal), affecting the Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder plugin for WordPress. The flaw exists in all versions up to and including 3.4.12 due to improper handling in the 'locate_template' function within Shortcode.php. This allows attackers to include and execute arbitrary files on the server, provided they have a .php extension, potentially leading to remote code execution.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables the inclusion of arbitrary PHP files, allowing code execution, bypass of access controls, and extraction of sensitive data. The impact is heightened in environments where users can upload images or other "safe" file types that contain embedded PHP code.

Advisories, including those from Wordfence, highlight the vulnerability and point to code changes in version 3.4.13 of the plugin, visible in the WordPress plugin trac repository, as the fix. Security practitioners should urge immediate updates to version 3.4.13 or later for affected WordPress sites running the plugin to mitigate the risk of exploitation.