CVE-2024-13593: 
WordPress vulnerability analysis and mitigation

The BMLT Meeting Map plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2024-13593) discovered in all versions up to and including 2.6.0. The vulnerability was disclosed on January 23, 2025, affecting the plugin's 'bmltmeetingmap' shortcode functionality (NVD).

The vulnerability exists in the 'bmltmeetingmap' shortcode implementation, allowing authenticated users with Contributor-level access or higher to perform Local File Inclusion attacks. The issue has received a CVSS v3.1 base score of 8.8 (HIGH) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while Wordfence assigned a score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to include and execute arbitrary files on the server, potentially leading to the execution of any PHP code within those files. This can result in access control bypasses, sensitive data exposure, and potential code execution when attackers can upload and include seemingly safe file types like images (NVD).

A patch has been released addressing this vulnerability. Users should upgrade to versions after 2.6.0 to mitigate the risk (Wordpress Patch).