CVE-2024-4258 is a critical security vulnerability classified as CWE-98, involving improper control of filenames in PHP include or require statements within the Video Gallery – YouTube Playlist, Channel Gallery by YotuWP WordPress plugin. This vulnerability exists in all versions up to and including 1.3.13. The flaw allows unauthenticated attackers to exploit the 'settings' parameter to perform Local File Inclusion (LFI), enabling them to include arbitrary files on the web server. Since PHP executes included files, attackers can run arbitrary PHP code, leading to remote code execution (RCE). This can be leveraged to bypass access controls, steal sensitive information, or fully compromise the affected server. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The plugin’s failure to properly sanitize or validate the filename input in the include/require statements is the root cause. Although no public exploits have been reported yet, the vulnerability’s CVSS 3.1 score of 9.8 reflects its critical severity, with high impact on confidentiality, integrity, and availability. The lack of available patches at the time of disclosure increases the urgency for mitigation. This vulnerability poses a significant threat to WordPress sites using this plugin, especially those exposed to the internet without additional protections.

The impact of CVE-2024-4258 is severe for organizations running the vulnerable YotuWP plugin on their WordPress sites. Successful exploitation can lead to full remote code execution, allowing attackers to execute arbitrary PHP code on the server. This can result in complete server compromise, including data theft, defacement, installation of backdoors, or pivoting to other internal systems. Confidentiality is at high risk due to potential access to sensitive files and databases. Integrity is compromised as attackers can modify files or data. Availability can be disrupted through destructive payloads or denial-of-service conditions. Since the vulnerability requires no authentication and no user interaction, attackers can automate exploitation at scale. This poses a significant risk to websites that rely on this plugin for video gallery functionality, including e-commerce, media, and corporate sites. The widespread use of WordPress globally amplifies the potential attack surface, making this a critical threat to many organizations.

1. Immediately update the Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin to a patched version once available from the vendor. 2. Until a patch is released, disable or remove the plugin to eliminate the attack vector. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'settings' parameter or attempts to include local files. 4. Restrict file permissions on the web server to prevent unauthorized file uploads and execution. 5. Employ PHP configuration hardening, such as disabling allow_url_include and restricting include paths. 6. Monitor web server logs for unusual access patterns or attempts to exploit LFI. 7. Conduct a thorough security audit of affected systems to detect any signs of compromise. 8. Educate administrators to avoid uploading untrusted files and to validate all user inputs rigorously. 9. Use security plugins that can detect and block malicious file inclusions or code injections. 10. Maintain regular backups and have an incident response plan ready in case of exploitation.