CVE-2024-4551 is a Local File Inclusion vulnerability classified under CWE-98, affecting the Video Gallery – YouTube Playlist, Channel Gallery by YotuWP WordPress plugin in all versions up to 1.3.13. The vulnerability exists due to improper validation and control of filenames used in PHP include or require statements within the plugin's display function. Authenticated attackers with contributor-level or higher permissions can exploit this flaw by manipulating the input to include arbitrary PHP files stored on the server. This allows execution of arbitrary PHP code, which can lead to bypassing access controls, unauthorized data access, or full code execution on the web server. The vulnerability is significant because contributor-level access is relatively common in WordPress environments, and the plugin is widely used for embedding YouTube content. The CVSS 3.1 score of 6.4 reflects that the attack can be performed remotely over the network with low complexity, requires authentication but no user interaction, and impacts confidentiality and integrity with no effect on availability. Although no public exploits are currently known, the vulnerability's nature makes it a high-risk target for attackers seeking to escalate privileges or compromise WordPress sites. The lack of available patches at the time of disclosure increases the urgency for mitigation.

The exploitation of CVE-2024-4551 can have serious consequences for organizations running vulnerable versions of the YotuWP plugin. Attackers with contributor or higher privileges can execute arbitrary PHP code, potentially leading to full site compromise, data leakage, or unauthorized access to sensitive information. This can result in defacement, data theft, or use of the compromised server as a pivot point for further attacks within the network. Since WordPress is widely used globally, and contributor access is often granted to multiple users, the attack surface is significant. The ability to bypass access controls and execute code undermines the integrity and confidentiality of the affected systems. Although availability is not directly impacted, the overall security posture and trustworthiness of the affected websites are severely compromised. Organizations may face reputational damage, regulatory penalties, and operational disruptions if exploited.

To mitigate CVE-2024-4551, organizations should immediately restrict contributor-level user permissions to trusted individuals only and audit existing users for unnecessary privileges. Disable or remove the vulnerable YotuWP plugin if it is not essential. Monitor web server logs for suspicious include or require activity and anomalous PHP file executions. Implement Web Application Firewall (WAF) rules to detect and block attempts to exploit file inclusion vulnerabilities, specifically targeting the plugin's display function parameters. Until an official patch is released, consider applying virtual patching techniques or custom code filters to sanitize inputs used in include/require statements. Regularly update WordPress core, plugins, and themes to the latest versions once patches become available. Conduct security reviews and penetration testing focused on file inclusion and code injection vectors. Backup website data frequently and maintain incident response plans to quickly address potential compromises.