CVE-2024-54374: 
WordPress vulnerability analysis and mitigation

The Sogrid WordPress plugin contains a Local File Inclusion (LFI) vulnerability affecting versions up to and including 1.5.6. This security issue was discovered on December 11, 2024, and has been assigned CVE-2024-54374. The vulnerability allows unauthenticated attackers to include and execute arbitrary local files on the affected server (Patchstack, WPScan).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue, which enables PHP Local File Inclusion. The CVSS v3.1 base score is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates that the vulnerability can be exploited remotely without requiring privileges, though it does need user interaction (Patchstack).

The vulnerability could allow attackers to include and execute arbitrary files on the server, potentially leading to the exposure of sensitive information such as database credentials. This could result in complete database takeover depending on the server configuration. Additionally, attackers could bypass access controls and achieve code execution if certain conditions are met (WPScan).

The vulnerability has been fixed in version 1.5.7 of the Sogrid plugin. Users are strongly advised to update to this version immediately. For users unable to update immediately, virtual patching solutions are available through security providers to mitigate the risk (Patchstack).