CVE-2024-12811 is a Local File Inclusion vulnerability classified under CWE-98, found in the Traveler WordPress theme developed by ShineTheme. The flaw exists in the handling of the 'hotel_alone_slider' shortcode's 'style' attribute, which fails to properly sanitize or validate input used in PHP include or require statements. Authenticated users with contributor-level or higher permissions can exploit this by manipulating the 'style' attribute to include arbitrary files from the server filesystem. If an attacker can upload PHP files (e.g., via other plugin vulnerabilities or misconfigurations), they can execute arbitrary PHP code, leading to full compromise of the web server environment. The vulnerability affects all versions up to and including 3.1.8 of the theme. The CVSS 3.1 base score is 8.8, reflecting network attack vector, low attack complexity, required privileges at contributor level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported, the vulnerability poses a significant risk due to the common use of WordPress and the theme in travel and booking websites, which often handle sensitive customer data and payment information. The flaw enables attackers to bypass access controls and potentially pivot to further internal network compromise.

The impact of CVE-2024-12811 is severe for organizations using the Traveler WordPress theme, especially those in the travel, hospitality, and booking sectors. Successful exploitation can lead to remote code execution on the web server, allowing attackers to execute arbitrary PHP code, steal sensitive customer and business data, modify website content, or disrupt service availability. This can result in data breaches, financial loss, reputational damage, and regulatory penalties. Since the vulnerability requires only contributor-level authentication, attackers may gain initial access through compromised or weak user credentials or social engineering. The ability to include arbitrary files also facilitates privilege escalation and lateral movement within the hosting environment. Organizations relying on this theme for customer-facing booking systems are particularly at risk, as attackers could manipulate booking data or inject malicious content affecting end users.

Organizations should immediately audit user permissions and restrict contributor-level access to trusted users only. Disable or remove the 'hotel_alone_slider' shortcode if it is not essential. Monitor file upload directories and web server logs for suspicious activity, such as unexpected PHP file uploads or unusual include paths. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit the 'style' attribute in the shortcode. Apply principle of least privilege to WordPress roles and consider multi-factor authentication to reduce risk of credential compromise. Since no official patch is currently available, consider temporarily switching to alternative themes or custom solutions until a fixed version is released. Regularly update all WordPress components and monitor vendor announcements for patches. Conduct thorough security assessments of the hosting environment to identify and remediate other potential vectors that could facilitate file uploads or code execution.