CVE-2024-49690: 
WordPress vulnerability analysis and mitigation

The Qi Blocks WordPress plugin contains a Local File Inclusion vulnerability (CVE-2024-49690) affecting versions up to and including 1.3.2. The vulnerability was discovered on September 17, 2024, and publicly disclosed on October 21, 2024. This security issue affects the Qi Blocks plugin developed by Qode Interactive (WPScan, Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) with CWE-98. It has received a CVSS v3.1 base score of 7.5 (High) from Patchstack with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, while WPScan rates it at 8.8 (High) (Patchstack, WPScan).

The vulnerability allows authenticated attackers with contributor-level access or higher to include and execute arbitrary files on the server. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution in cases where images and other 'safe' file types can be uploaded and included. Files containing credentials, such as database configurations, could potentially be accessed, leading to complete database compromise depending on the server configuration (WPScan, Patchstack).

The vulnerability has been fixed in version 1.3.3 of the Qi Blocks plugin. Users are advised to update to version 1.3.3 or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).