CVE-2024-38772: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2024-38772) was discovered in Crocoblock JetWidgets for Elementor and WooCommerce plugin versions up to 1.1.7. The vulnerability was reported on June 10, 2024, by researcher João Pedro S Alcântara (Kinorth) and was publicly disclosed on July 19, 2024 (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue that allows PHP Local File Inclusion. It has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (Patchstack).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which depending on the configuration could lead to complete database compromise (Patchstack).

The vulnerability has been patched in version 1.1.8 of the JetWidgets for Elementor and WooCommerce plugin. Users are advised to update to version 1.1.8 or later to remediate the vulnerability (Patchstack).