CVE-2024-13593 identifies a Local File Inclusion vulnerability in the BMLT Meeting Map plugin for WordPress, affecting all versions up to and including 2.6.0. The vulnerability arises from improper validation and control of filenames used in PHP include or require statements within the 'bmlt_meeting_map' shortcode. Authenticated users with Contributor-level access or higher can exploit this flaw by manipulating the shortcode parameters to include arbitrary files on the server. This can lead to execution of arbitrary PHP code, enabling attackers to bypass access controls, read sensitive files, or execute malicious code remotely. The vulnerability is classified under CWE-98, which concerns improper control of filenames for include/require statements. The CVSS v3.1 score of 7.5 reflects high severity, with network attack vector, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability poses a serious risk to affected WordPress sites, especially those allowing Contributor-level users to upload files or manipulate shortcode parameters. The lack of available patches at the time of reporting necessitates immediate mitigation steps to prevent exploitation.

The impact of CVE-2024-13593 is substantial for organizations using the BMLT Meeting Map plugin. Successful exploitation can lead to remote code execution on the web server, allowing attackers to execute arbitrary PHP code. This can result in full compromise of the affected web server, including unauthorized access to sensitive data, modification or deletion of content, and potential lateral movement within the network. The ability to bypass access controls means that even users with limited privileges can escalate their capabilities, increasing the risk of insider threats or compromised accounts being leveraged for attacks. For organizations relying on WordPress for critical services or hosting sensitive information, this vulnerability could lead to data breaches, service disruptions, reputational damage, and regulatory penalties. The widespread use of WordPress globally amplifies the potential scope of impact, particularly for non-technical users who may not promptly update or secure their plugins.

To mitigate CVE-2024-13593, organizations should immediately restrict Contributor-level user capabilities to prevent uploading or manipulating shortcode parameters until a patch is available. Implement strict input validation and sanitization on all shortcode parameters to prevent inclusion of arbitrary files. Employ web application firewalls (WAFs) with rules designed to detect and block attempts to exploit file inclusion vulnerabilities. Monitor logs for unusual file inclusion attempts or unexpected PHP code execution. Disable or limit the use of the 'bmlt_meeting_map' shortcode if feasible. Encourage users to upgrade to a patched version once released by the vendor. Additionally, conduct regular security audits of WordPress plugins and user permissions to minimize attack surfaces. Segmentation of web servers and limiting file upload types can further reduce risk. Finally, maintain up-to-date backups to enable recovery in case of compromise.