CVE-2024-35677: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2024-35677) was discovered in StylemixThemes MegaMenu WordPress plugin affecting versions through 2.3.12. The vulnerability was reported on May 7, 2024, and publicly disclosed on June 5, 2024 (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') that allows PHP Local File Inclusion. It received a CVSS v3.1 base score of 9.8 (CRITICAL) from NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a CVSS score of 9.0 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents. Particularly concerning is the potential access to files containing sensitive information such as database credentials, which could lead to complete database compromise depending on the configuration (Patchstack).

Users are strongly advised to update to version 2.3.13 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until users can update to the fixed version (Patchstack).