CVE-2024-4441: 
WordPress vulnerability analysis and mitigation

The XML Sitemap & Google News plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2024-4441) affecting all versions up to and including 5.4.8. This vulnerability was discovered and reported by Wordfence, with the initial disclosure made on May 14, 2024 (Wordfence Report).

The vulnerability exists in the 'feed' parameter of the plugin, which fails to properly validate user input. The issue has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating that it can be exploited remotely without requiring authentication or user interaction (Wordfence Report).

If exploited, this vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server. This can lead to the execution of any PHP code contained within those files. The vulnerability can be leveraged to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other 'safe' file types can be uploaded and included (NVD).

Website administrators running the XML Sitemap & Google News plugin should immediately update to a version newer than 5.4.8 (WordPress Plugin).