CVE-2024-0844: 
WordPress vulnerability analysis and mitigation

The Popup More Popups, Lightboxes, and more popup modules plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2024-0844) in version 2.1.6. The vulnerability was discovered in February 2024 and affects the ycfChangeElementData() function (NVD).

The vulnerability exists in the ycfChangeElementData() function and allows authenticated attackers with administrator-level access to include and execute arbitrary files ending with 'Form.php' on the server. The vulnerability has received a CVSS v3.1 base score of 7.2 (HIGH) from NIST with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, while Wordfence assessed it at 4.7 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

When exploited, this vulnerability can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other 'safe' file types can be uploaded and included (NVD).

Users should update to a version newer than 2.1.6 of the Popup More Popups, Lightboxes, and more popup modules plugin for WordPress. The vulnerability affects versions up to and including 2.1.6 (NVD).