CVE-2024-37089: 
WordPress vulnerability analysis and mitigation

The CVE-2024-37089 is a Path Traversal vulnerability discovered in StylemixThemes Consulting Elementor Widgets WordPress plugin that allows PHP Local File Inclusion. The vulnerability affects all versions up to and including 1.3.0, with a fix available in version 1.3.1. The vulnerability was initially disclosed on June 20, 2024, and was assigned a Critical severity rating (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) that enables PHP Local File Inclusion. It received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code in those files. This can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included (WPScan).

The recommended mitigation is to update the Consulting Elementor Widgets plugin to version 1.3.1 or later, which contains the fix for this vulnerability. For Patchstack users, virtual patching is available to mitigate this issue by blocking any attacks until the update can be applied (Patchstack).