CVE-2024-3564 is a Local File Inclusion vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) affecting the Content Blocks (Custom Post Widget) plugin for WordPress, versions up to and including 3.3.0. The vulnerability arises from insufficient validation of input passed to the 'content_block' shortcode, allowing an authenticated user with contributor-level permissions or higher to manipulate the filename parameter used in PHP include or require statements. This flaw enables attackers to include arbitrary files from the server, including those uploaded as images or other seemingly safe file types, which can contain malicious PHP code. Once included, the attacker can execute arbitrary PHP code on the server, leading to full compromise of the web application environment. The vulnerability does not require user interaction beyond authentication, and the attack vector is remote with network access. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. No official patches or exploit code are currently publicly available, but the vulnerability is published and should be considered critical for affected users. This vulnerability can be leveraged to bypass access controls, escalate privileges, and extract sensitive information from the server.

The impact of CVE-2024-3564 is severe for organizations running WordPress sites with the vulnerable Content Blocks plugin. Successful exploitation allows attackers to execute arbitrary PHP code remotely, which can lead to full server compromise, including data theft, defacement, or pivoting to internal networks. Confidentiality is at high risk as attackers can access sensitive files and data. Integrity is compromised because attackers can modify site content or configurations. Availability may be affected if attackers deploy destructive payloads or ransomware. Since contributor-level access is sufficient, insider threats or compromised accounts can be leveraged easily. The vulnerability also enables bypassing of normal WordPress access controls, increasing the attack surface. Organizations relying on this plugin for content management are at risk of significant operational disruption and reputational damage if exploited.

To mitigate CVE-2024-3564, organizations should immediately upgrade the Content Blocks (Custom Post Widget) plugin to a version where this vulnerability is fixed once available. Until a patch is released, restrict contributor-level and higher permissions to trusted users only, minimizing the risk of exploitation. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'content_block' shortcode parameters. Conduct thorough audits of uploaded files to prevent malicious PHP code disguised as images or other file types. Employ strict input validation and sanitization on all shortcode parameters if custom modifications are possible. Monitor server logs for unusual file inclusion attempts or PHP execution anomalies. Additionally, consider disabling or removing the plugin if it is not essential to reduce the attack surface. Regularly back up website data and configurations to enable recovery in case of compromise.