CVE-2024-12811

Name of the Vulnerable Software and Affected Versions The Traveler theme for WordPress versions up to, and including, 3.1.8

Description The issue allows authenticated attackers with contributor-level and above permissions to include and execute arbitrary files on the server via the hotel alone slider shortcode style attribute. This enables the execution of any PHP code in those files, potentially bypassing access controls, obtaining sensitive data, or achieving code execution if PHP file types can be uploaded and included.

Recommendations For versions up to, and including, 3.1.8, update to a version that fixes this issue to prevent Local File Inclusion attacks. As a temporary workaround, consider restricting access to the hotel alone slider shortcode or disabling the style attribute to minimize the risk of exploitation.