CVE-2024-43957: 
WordPress vulnerability analysis and mitigation

A Path Traversal vulnerability (CVE-2024-43957) was discovered in the Animated Number Counters WordPress plugin, affecting versions up to 1.9. The vulnerability was reported on August 26, 2024, and allows PHP Local File Inclusion through improper limitation of pathname to restricted directories (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 6.5 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information, including database credentials, which might lead to complete database compromise depending on the configuration (Patchstack).

Users are advised to update to version 2.2 or later of the Animated Number Counters plugin to remediate this vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).