CVE-2024-13592 is a Local File Inclusion vulnerability classified under CWE-98, found in the Team Builder For WPBakery Page Builder plugin for WordPress, formerly known as Visual Composer. The vulnerability exists in all versions up to and including 1.0 and is triggered via the 'team-builder-vc' shortcode. It allows authenticated users with Contributor-level permissions or higher to manipulate the filename parameter used in PHP include or require statements improperly. This flaw enables attackers to include arbitrary files from the server, which can contain malicious PHP code. Since WordPress contributors can upload files such as images, attackers may upload files with embedded PHP code disguised as safe file types and then include them to execute arbitrary code. This can lead to full system compromise, including bypassing access controls, data exfiltration, and remote code execution. The vulnerability has a CVSS v3.1 base score of 7.5, reflecting high severity, with network attack vector, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability presents a significant risk due to the widespread use of the affected plugin and the ease of exploitation once authenticated access is obtained.

The impact of CVE-2024-13592 is severe for organizations using the affected WordPress plugin. An attacker with Contributor-level access can execute arbitrary PHP code on the server, potentially leading to full system compromise. This includes bypassing WordPress access controls, stealing sensitive data such as user credentials and database contents, defacing websites, deploying malware or ransomware, and disrupting service availability. Since WordPress powers a large portion of websites globally, including many business and e-commerce sites, exploitation could result in significant reputational damage, financial loss, and regulatory penalties. The requirement for authenticated access limits exposure somewhat but does not eliminate risk, as Contributor accounts are commonly available in multi-user environments or can be compromised through phishing or other means. The ability to upload seemingly safe files that can be included and executed increases the attack surface and complicates detection and prevention.

To mitigate CVE-2024-13592, organizations should immediately update the Team Builder For WPBakery Page Builder plugin to a patched version once available. In the absence of an official patch, administrators should restrict Contributor-level permissions to trusted users only and audit existing Contributor accounts for suspicious activity. Implement strict file upload validation and sanitization to prevent uploading files containing executable code disguised as images or other safe types. Disable or restrict the use of the vulnerable 'team-builder-vc' shortcode if possible. Employ Web Application Firewalls (WAFs) with rules to detect and block attempts to exploit LFI vulnerabilities. Monitor server logs for unusual file inclusion attempts and anomalous PHP execution patterns. Additionally, consider isolating the WordPress environment using containerization or sandboxing to limit the impact of potential code execution. Regularly back up website data and configurations to enable recovery in case of compromise.