CVE-2024-54225: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2024-54225) was discovered in CodegearThemes Designer WordPress plugin affecting versions through 1.3.3. The vulnerability was publicly disclosed on December 5, 2024, and was discovered by researcher João Pedro Soares de Alcântara. This security issue affects the Designer plugin and allows authenticated users with contributor-level access or higher to perform local file inclusion attacks (WPScan, Patchstack).

The vulnerability is classified as an Improper Control of Filename for Include/Require Statement in PHP Program (CWE-98). It received a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue falls under the OWASP Top 10 category A1: Injection (NVD, Patchstack).

This vulnerability allows authenticated attackers with contributor-level access to include and execute arbitrary files on the server. This can potentially lead to bypassing access controls, obtaining sensitive data, or achieving code execution in cases where images and other "safe" file types can be uploaded and included. Files containing credentials, such as database configurations, could potentially be exposed, leading to complete database compromise depending on the server configuration (WPScan, Patchstack).

The vulnerability has been fixed in version 1.5.0 of the Designer plugin. Users are strongly advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).