CVE-2024-52499: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2024-52499) was discovered in the Kardi Pricing table addon for Elementor WordPress plugin, affecting versions through 1.0.0. The vulnerability was reported on November 20, 2024, by researcher João Pedro S Alcântara (Kinorth) and published by Patchstack (Patchstack Database).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion) vulnerability, identified as CWE-98. It received a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability requires Contributor or higher privileges to exploit (NVD).

This vulnerability could allow a malicious actor to include local files of the target website and display their contents on the screen. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the system configuration (Patchstack Database).

As no official fix is available and the software is considered abandoned, the recommended mitigation is to remove and replace the plugin with an alternative solution. Note that merely deactivating the plugin does not remove the security threat unless a virtual patch is deployed (Patchstack Database).