CVE-2024-50453: 
WordPress vulnerability analysis and mitigation

A Relative Path Traversal vulnerability (CVE-2024-50453) was discovered in Webangon's The Pack Elementor addons WordPress plugin affecting versions up to 2.0.9. The vulnerability was disclosed on October 24, 2024, and allows PHP Local File Inclusion through path traversal (Patchstack).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Patchstack assigned a score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal) (NVD).

The vulnerability could allow a malicious actor to include local files of the target website and display their contents. This could potentially expose sensitive information such as database credentials, which depending on the configuration, could lead to complete database compromise (Patchstack).

Users are advised to update to version 2.1.0 or later of The Pack Elementor addons plugin to remediate this vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).