CVE-2024-11642: 
WordPress vulnerability analysis and mitigation

The Post Grid Master WordPress plugin (Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder) contains a Local File Inclusion vulnerability (CVE-2024-11642) affecting all versions up to and including 3.4.12. The vulnerability was discovered in the 'locate_template' function, which allows unauthenticated attackers to include and execute arbitrary PHP files on the server (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory - Path Traversal). The issue specifically involves the improper implementation of the 'locate_template' function, which can be exploited to include and execute PHP files on the affected server (NVD, Wordfence).

The vulnerability allows attackers to bypass access controls, obtain sensitive data, and achieve code execution, particularly in cases where images and other "safe" file types can be uploaded and included. The attack requires the included files to have a .PHP extension (NVD).