CVE-2024-6460: 
NixOS vulnerability analysis and mitigation

The Grow by Tradedoubler WordPress plugin through version 2.0.21 contains a Local File Inclusion (LFI) vulnerability identified as CVE-2024-6460. The vulnerability was discovered by Project Black and publicly disclosed on July 26, 2024. The issue affects the plugin's component parameter functionality, which could allow unauthorized access to and execution of PHP files on the server (WPScan).

The vulnerability is classified as a Local File Inclusion (LFI) issue and has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The flaw exists in the component parameter handling of the plugin, which can be exploited through the WordPress admin-ajax.php endpoint. The vulnerability is tracked under CWE-22 and falls under the OWASP Top 10 category A1: Injection (WPScan, NVD).

The vulnerability allows attackers to include and execute arbitrary PHP files on the affected server, potentially leading to complete system compromise. Due to its unauthenticated nature and the ability to execute arbitrary PHP code, the impact is considered critical with potential for full system access (WPScan).

The vulnerability has been fixed in version 2.0.22 of the Grow by Tradedoubler WordPress plugin. Users are strongly advised to update to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (WPScan).