CVE-2024-5577

Name of the Vulnerable Software and Affected Versions Where I Was, Where I Will Be plugin for WordPress version <= 1.1.1

Description The issue allows unauthenticated attackers to include and execute arbitrary files hosted on external servers via the WIW HEADER parameter of the "/system/include/include user.php" file. This enables the execution of any PHP code in those files, potentially bypassing access controls, obtaining sensitive data, or achieving code execution. The exploitation requires allow url include to be set to true, which is not commonly enabled.

Recommendations For version <= 1.1.1, update to a version greater than 1.1.1 to resolve the issue. As a temporary workaround, consider disabling the WIW HEADER parameter in the "/system/include/include user.php" file until a patch is available. Additionally, ensure that allow url include is set to false to prevent exploitation.