CVE-2024-3813 is a Local File Inclusion vulnerability classified under CWE-98, affecting the tagDiv Composer plugin for WordPress in all versions up to and including 4.8. The vulnerability arises from improper control of filenames used in include or require statements within the plugin's code, specifically via the 'block_template_id' attribute of the 'td_block_title' shortcode. Authenticated attackers with contributor-level or higher permissions can manipulate this attribute to include arbitrary files from the server filesystem. If an attacker can upload PHP files (e.g., via other vulnerabilities or misconfigurations), they can execute arbitrary PHP code, leading to full server compromise. The vulnerability enables bypassing of access controls and unauthorized data access. The CVSS 3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability's nature and ease of exploitation make it a critical risk for affected WordPress sites using tagDiv Composer. The lack of an official patch at the time of reporting necessitates immediate mitigation steps.

The impact of CVE-2024-3813 is severe for organizations using the tagDiv Composer plugin on WordPress sites. Successful exploitation allows attackers with contributor-level access to execute arbitrary PHP code on the web server, potentially leading to full system compromise. This can result in unauthorized data disclosure, modification, or deletion, and disruption of website availability. Attackers can bypass access controls, escalate privileges, implant backdoors, or pivot to internal networks. Given WordPress's widespread use globally, especially among businesses relying on content management systems, this vulnerability poses a significant risk to data confidentiality, integrity, and availability. Organizations hosting sensitive or critical web applications with this plugin are at heightened risk of targeted attacks, data breaches, and reputational damage.

1. Immediately update the tagDiv Composer plugin to a patched version once available from the vendor. Monitor official channels for patch releases. 2. Until a patch is available, restrict contributor-level and higher permissions to trusted users only, minimizing the attack surface. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'block_template_id' parameter. 4. Disable or restrict file upload capabilities where possible, especially for PHP files, to prevent attackers from uploading malicious code that could be included. 5. Conduct thorough audits of user permissions and remove unnecessary contributor or higher roles. 6. Monitor server logs for unusual file inclusion attempts or PHP execution anomalies. 7. Employ file integrity monitoring to detect unauthorized changes to PHP files. 8. Consider isolating WordPress instances or running them with least privilege to limit impact of potential compromise. 9. Educate administrators and developers about the risks of improper input validation in include/require statements to prevent similar vulnerabilities.