CVE-2024-49701: 
WordPress vulnerability analysis and mitigation

The Mags WordPress theme contains a Local File Inclusion vulnerability (CVE-2024-49701) affecting versions up to and including 1.1.6. The vulnerability was discovered on October 21, 2024, and allows unauthenticated attackers to include and execute arbitrary files on the server. The issue was publicly disclosed and a fix was released in version 1.1.7 (WPScan, Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It has received varying CVSS scores, with Patchstack assigning a CVSS v3.1 score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H, while other sources like WPScan rate it at 9.8 (Critical). The vulnerability falls under the OWASP Top 10 category A1: Injection (WPScan, Patchstack).

The vulnerability allows attackers to include and execute arbitrary files on the server, potentially leading to complete code execution. This can be exploited to bypass access controls, obtain sensitive data such as database credentials, and achieve code execution particularly in cases where images and other 'safe' file types can be uploaded and included (WPScan).

Users are advised to update to Mags theme version 1.1.7 or later to remediate this vulnerability. For those unable to update immediately, Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks (Patchstack).