CVE-2024-38706: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2024-38706) was discovered in HasThemes HT Mega WordPress plugin affecting versions through 2.5.7. The vulnerability was disclosed on July 12, 2024, and involves improper limitation of pathname to restricted directories (NVD, Patchstack).

The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and has received varying CVSS v3.1 severity ratings. The NVD assigned a CVSS base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack rated it at 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows path traversal attacks, potentially enabling attackers to access files outside of intended directories. The high CVSS ratings indicate significant potential impact on confidentiality, integrity, and availability of the affected systems (NVD).

Users are advised to update to HT Mega version 2.5.8 or later to resolve the vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking attacks until users can update to a fixed version (Patchstack).