CVE-2024-35650 is a Remote File Inclusion (RFI) vulnerability found in the MelaPress Login Security WordPress plugin, affecting all versions up to and including 1.3.0. The vulnerability stems from improper validation and control over filenames used in PHP include or require statements. This flaw allows an attacker to manipulate the input that determines which file is included, enabling them to specify a remote file hosted on an attacker-controlled server. When the vulnerable PHP code includes this remote file, it executes arbitrary code within the context of the web server. This can lead to full compromise of the affected website, including unauthorized access, data leakage, defacement, or pivoting to internal networks. The vulnerability does not require authentication, making it exploitable by unauthenticated remote attackers. Although no public exploits have been reported yet, the nature of RFI vulnerabilities makes them highly attractive targets. The plugin is used to enhance login security on WordPress sites, which are prevalent worldwide. The lack of a CVSS score indicates the need for an expert severity assessment, which is high due to the potential impact and ease of exploitation. No official patches or mitigation links have been published at the time of disclosure, increasing urgency for defensive measures.

The impact of CVE-2024-35650 is severe for organizations using the MelaPress Login Security plugin. Successful exploitation allows attackers to execute arbitrary code remotely, potentially leading to complete website takeover. This can result in data breaches, loss of customer trust, defacement, and use of the compromised site as a launchpad for further attacks within the organization's network. For e-commerce, financial, or critical infrastructure websites, the consequences can include financial loss, regulatory penalties, and operational disruption. Since WordPress powers a significant portion of the web, the vulnerability's reach is broad. The lack of authentication requirement and remote exploitability increase the risk of widespread automated attacks once exploit code becomes available. Organizations with weak monitoring or delayed patching processes are particularly vulnerable to rapid compromise and persistent threats.

To mitigate CVE-2024-35650, organizations should immediately assess if they use the MelaPress Login Security plugin and identify affected versions (<= 1.3.0). If possible, disable or uninstall the plugin until a secure patch is released. Restrict PHP include paths to trusted directories using configuration directives like open_basedir and disable allow_url_include in php.ini to prevent remote file inclusion. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious file inclusion attempts. Monitor web server logs for unusual requests targeting include parameters. Employ strict input validation and sanitization for any user-controllable inputs related to file inclusion. Keep WordPress core, plugins, and themes updated regularly. Engage with the plugin vendor or security community for patches or workarounds. In the absence of official patches, consider code review and manual fixes to enforce safe file inclusion practices. Finally, maintain regular backups and incident response plans to recover from potential compromises.