CVE-2024-50434: 
WordPress vulnerability analysis and mitigation

The NewsCard WordPress theme contains a Local File Inclusion vulnerability (CVE-2024-50434) affecting versions up to and including 1.3. The vulnerability was discovered by researcher tahu.datar and publicly disclosed on October 24, 2024. This security issue allows unauthenticated attackers to include and execute arbitrary files on the server (WPScan, Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion), identified as CWE-98. It has received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H according to Patchstack's assessment (Patchstack).

The vulnerability enables attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code within those files. This can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included (WPScan).

The vulnerability has been fixed in version 1.4 of the NewsCard theme. Users are strongly advised to update to version 1.4 or later immediately. Patchstack has issued a virtual patch to mitigate this issue by blocking any attacks until users can update to a fixed version (Patchstack).