CVE-2024-38709: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability has been identified in Milan Petrovic GD Rating System WordPress plugin through version 3.6. The vulnerability was discovered on June 25, 2024, and publicly disclosed on July 11, 2024. This security flaw affects all versions of GD Rating System up to and including version 3.6, with a fix available in version 3.6.1 (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') issue, identified as CVE-2024-38709. It has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is categorized under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (Patchstack).

The vulnerability allows PHP Local File Inclusion, which could enable a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the system configuration (Patchstack).

Users are advised to update to GD Rating System version 3.6.1 or later to remediate this vulnerability. The security issue has been assessed as having a low severity impact and is considered unlikely to be exploited in the wild (Patchstack).