CVE-2024-13408 is a Local File Inclusion vulnerability classified under CWE-98, affecting the WordPress plugin 'Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget' developed by wpwax. The vulnerability arises from improper control of the filename used in the include/require statement within the plugin's code, specifically via the 'theme' attribute in the 'pgcu' shortcode. Authenticated attackers with at least Contributor-level privileges can manipulate this attribute to include arbitrary files from the server filesystem. If an attacker can upload PHP files (e.g., via other vulnerabilities or upload features), they can execute arbitrary PHP code, leading to remote code execution. This flaw enables attackers to bypass access controls, access sensitive files, and potentially take full control of the affected WordPress site and underlying server. The vulnerability affects all plugin versions up to and including 1.6.10. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the vulnerability's nature and ease of exploitation by authenticated users make it a significant risk for WordPress sites using this plugin.

The impact of CVE-2024-13408 is substantial for organizations running WordPress sites with the vulnerable plugin. Successful exploitation can lead to remote code execution on the web server, allowing attackers to execute arbitrary PHP code. This can result in full site compromise, including defacement, data theft, insertion of backdoors, and pivoting to internal networks. Confidential information stored on the server or accessible via the WordPress installation may be exposed. Integrity of website content and data can be compromised, and availability may be disrupted through malicious actions such as deleting files or deploying ransomware. Since the vulnerability requires only Contributor-level access, attackers who gain such access through weak credentials, social engineering, or other vulnerabilities can escalate their privileges and fully compromise the site. This poses a risk to organizations of all sizes, especially those relying on WordPress for business-critical websites, e-commerce, or customer portals.

To mitigate CVE-2024-13408, organizations should immediately update the 'Post Grid, Slider & Carousel Ultimate' plugin to a patched version once available. Until a patch is released, restrict Contributor-level and higher privileges to trusted users only and audit existing user roles to minimize risk. Implement strict file upload controls and scanning to prevent attackers from uploading malicious PHP files that could be included. Employ Web Application Firewalls (WAFs) with rules targeting LFI patterns to detect and block exploitation attempts. Disable or restrict the use of the vulnerable shortcode ('pgcu') if feasible. Monitor server and WordPress logs for unusual file inclusion attempts or privilege escalations. Additionally, harden the server environment by disabling PHP execution in upload directories and applying the principle of least privilege to WordPress file permissions. Regularly back up WordPress sites and test restoration procedures to recover quickly from potential compromises.