CVE-2024-5882: 
WordPress vulnerability analysis and mitigation

The Ultimate Classified Listings WordPress plugin before version 1.3 contains a Local File Inclusion (LFI) vulnerability. The plugin fails to properly validate the ucl_page and layout parameters, which allows unauthenticated users to access PHP files on the server from the listings page. This vulnerability was discovered and reported by Project Black on July 8, 2024 (WPScan).

The vulnerability stems from improper validation of two parameters: ucl_page and layout. When accessing a post containing the [uclwp_listings] shortcode, unauthenticated users can manipulate these parameters to include arbitrary PHP files from the server. The vulnerability has been assigned a CVSS 3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and no required privileges (NIST NVD).

The vulnerability allows unauthenticated attackers to access PHP files on the server through path traversal, potentially exposing sensitive information and configuration files. This could lead to unauthorized access to critical system files and potential exposure of sensitive data (WPScan).

The vulnerability has been fixed in version 1.3 of the Ultimate Classified Listings WordPress plugin. Users are strongly advised to update to this version or later to protect against potential attacks (WPScan).