CVE-2024-5574 is a Local File Inclusion vulnerability identified in the WP Magazine Modules Lite plugin for WordPress, affecting all versions up to and including 1.1.2. The vulnerability arises from improper validation and control of the 'blockLayout' parameter, which is used in PHP include or require statements without adequate sanitization. This flaw allows authenticated users with Contributor-level permissions or higher to manipulate the parameter to include arbitrary files from the server. Since WordPress permits uploading of certain file types like images, attackers can upload malicious PHP code disguised as safe files and then include these files via the vulnerable parameter, leading to remote code execution. The vulnerability is classified under CWE-98, indicating improper control of filenames for include/require statements. The CVSS v3.1 score is 7.5 (High), reflecting network attack vector, low privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known public exploits exist yet, the vulnerability poses a serious risk due to the potential for privilege escalation, data exposure, and full system compromise on affected WordPress sites.

The impact of CVE-2024-5574 is significant for organizations using the WP Magazine Modules Lite plugin on WordPress sites. Successful exploitation allows attackers with relatively low privileges (Contributor-level) to execute arbitrary PHP code on the web server. This can lead to complete site takeover, including bypassing access controls, stealing sensitive data such as user credentials or configuration files, and deploying persistent backdoors. The vulnerability could also be leveraged to pivot into the internal network or launch further attacks. Given WordPress's dominant market share in content management systems globally, many websites, including corporate, governmental, and e-commerce platforms, could be at risk if they use this plugin. The requirement for authentication reduces the attack surface but does not eliminate risk, especially on sites with multiple contributors or weak account management. The absence of public exploits currently provides a window for remediation before widespread exploitation occurs.

To mitigate CVE-2024-5574, organizations should immediately update the WP Magazine Modules Lite plugin to a version that addresses this vulnerability once available. Until a patch is released, administrators should restrict Contributor-level and higher permissions to trusted users only, minimizing the risk of exploitation. Implement strict file upload controls and validation to prevent uploading of executable PHP code disguised as images or other file types. Employ web application firewalls (WAFs) with rules to detect and block suspicious include parameter manipulations. Review and harden PHP configuration to disable dangerous functions like include/require from user input where possible. Monitor logs for unusual file inclusion attempts or unexpected PHP executions. Additionally, consider isolating WordPress installations in containers or sandboxes to limit potential damage from code execution. Regularly audit user permissions and remove unnecessary contributor accounts to reduce the attack surface.