CVE-2024-13409 is a path traversal vulnerability classified under CWE-22 found in the WordPress plugin 'Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget' developed by wpwax. The vulnerability exists in all versions up to and including 1.6.10 within the post_type_ajax_handler() function, specifically via the 'theme' parameter. This parameter lacks proper validation and restriction on file paths, allowing an authenticated attacker with at least Contributor-level privileges to perform local file inclusion (LFI). By manipulating the 'theme' parameter, an attacker can include arbitrary files from the server, including those uploaded as images or other seemingly safe file types, which can contain malicious PHP code. This leads to the execution of arbitrary PHP code on the server, effectively enabling remote code execution (RCE). The vulnerability can be exploited without user interaction once authenticated, but requires the attacker to have Contributor or higher access, which is a moderately high privilege level in WordPress. The CVSS v3.1 score is 7.5, reflecting high severity due to the potential for full confidentiality, integrity, and availability compromise. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability allows attackers to bypass access controls, access sensitive data, and execute arbitrary code, posing a critical risk to affected WordPress installations.

The impact of CVE-2024-13409 is significant for organizations running WordPress sites with the vulnerable wpwax plugin. Successful exploitation can lead to remote code execution on the web server, allowing attackers to fully compromise the affected system. This can result in unauthorized access to sensitive data, defacement of websites, deployment of malware or ransomware, and use of the compromised server as a pivot point for further attacks within the network. Since the vulnerability requires only Contributor-level access, attackers who gain low to moderate privileges through other means (e.g., weak credentials, phishing, or other vulnerabilities) can escalate their control to full server compromise. This elevates the risk for organizations relying on WordPress for critical business functions, especially those handling sensitive customer or internal data. The availability of the site can also be impacted due to malicious code execution or server instability. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential for future exploitation. Organizations with public-facing WordPress sites using this plugin are at risk of targeted attacks aiming to leverage this vulnerability for data theft, service disruption, or further network intrusion.

To mitigate CVE-2024-13409, organizations should immediately identify all WordPress installations using the 'Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget' plugin. Since no official patch links are currently available, administrators should monitor the vendor’s announcements for updates or patches. In the interim, restrict Contributor and higher privileges to trusted users only, minimizing the risk of exploitation by limiting who can upload or manipulate content. Implement strict file upload controls and scanning to prevent malicious PHP code disguised as images or other media from being uploaded. Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit the 'theme' parameter or unusual file inclusion requests. Regularly audit user roles and permissions to ensure no unnecessary privilege escalation is possible. Additionally, consider disabling or removing the vulnerable plugin if it is not essential to the site’s functionality. Maintain comprehensive backups and incident response plans to quickly recover from any compromise. Finally, keep WordPress core and all plugins updated to reduce exposure to known vulnerabilities.