CVE-2024-5349: 
WordPress vulnerability analysis and mitigation

The LA-Studio Element Kit for Elementor plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2024-5349) affecting all versions up to and including 1.3.8.1. The vulnerability was discovered and disclosed on July 1, 2024, impacting the WordPress plugin ecosystem (Wordfence Advisory).

The vulnerability exists in the 'map_style' parameter of the plugin, which can be exploited by authenticated users with Contributor-level access or higher. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating a serious security risk that requires network access but low complexity to exploit (NVD).

When successfully exploited, this vulnerability allows attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code contained within those files. This can result in unauthorized access control bypasses, exposure of sensitive data, and potential code execution when attackers can upload and include seemingly safe file types like images (Wordfence Advisory).

A patch has been released to address this vulnerability. Users should upgrade to version 1.3.9 or later of the LA-Studio Element Kit for Elementor plugin (WordPress Plugin).