CVE-2021-24947: 
WordPress vulnerability analysis and mitigation

The RVM (Responsive Vector Maps) WordPress plugin before version 6.4.2 contained a security vulnerability identified as CVE-2021-24947. The vulnerability was discovered by Krzysztof Zając and publicly disclosed on January 6, 2022. This security issue affected the plugin's file handling functionality, specifically impacting websites running versions prior to 6.4.2 (WPScan).

The vulnerability stems from improper authorization mechanisms, missing CSRF checks, and inadequate validation of the rvmuploadregionsfilepath parameter in the rvmimportregions AJAX action. The vulnerability has been assigned a CVSS score of 7.7 (High) and is classified under CWE-552. The technical implementation flaw falls under the OWASP Top 10 category A1: Injection (WPScan).

The security flaw allows any authenticated user, including those with minimal privileges such as subscribers, to read arbitrary files on the web server. This could potentially lead to unauthorized access to sensitive server files and information disclosure (WPScan, MITRE).

The vulnerability has been patched in version 6.4.2 of the RVM WordPress plugin. Website administrators running affected versions should immediately upgrade to version 6.4.2 or later to mitigate this security risk (WPScan).