CVE-2024-44030: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2024-44030) was discovered in the Checkout Mestres WP WordPress plugin affecting versions up to 8.6. The vulnerability was reported on September 2, 2024, and publicly disclosed on September 24, 2024. This security issue affects the Mestres do WP Checkout Mestres WP plugin, which is a WordPress extension (Patchstack).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) vulnerability that allows PHP Local File Inclusion. It has been assigned a CVSS v3.1 base score of 7.2 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is tracked under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their output on the screen. Files containing sensitive information, such as database credentials, could potentially be exposed, which might lead to a complete database takeover depending on the configuration (Patchstack).

The vulnerability has been patched in version 8.6.1 of the Checkout Mestres WP plugin. Users are advised to update to version 8.6.1 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).