Atomic Edge analysis of CVE-2026-24608 (metadata-based):
The Laurent Core WordPress plugin version 2.4.1 and earlier contains an authenticated Local File Inclusion vulnerability. Attackers with contributor-level or higher privileges can exploit this flaw to include arbitrary local files, potentially leading to remote code execution. The CVSS 3.1 score of 7.5 (High) reflects the significant impact when combined with file upload capabilities.
Atomic Edge research indicates the root cause is CWE-98: Improper Control of Filename for Include/Require Statement. The plugin likely uses user-controlled input to construct file paths for PHP include/require statements without proper validation. This inference is based on the CWE classification and vulnerability description. The plugin fails to sanitize or validate file path parameters before passing them to PHP file inclusion functions. No code diff confirms this, but the CWE pattern matches typical WordPress plugin vulnerabilities where dynamic template loading or file retrieval mechanisms accept unsanitized input.
Exploitation requires authenticated access at the contributor level or higher. Attackers would identify a vulnerable endpoint, likely an AJAX handler or admin page that accepts a file path parameter. They would send a crafted request containing a local file path (e.g., ../../wp-config.php) or a path to an uploaded file containing PHP code. The plugin includes and executes the specified file’s contents. Common WordPress endpoints for such vulnerabilities include /wp-admin/admin-ajax.php with an action parameter like laurent_core_action, or direct access to plugin files in /wp-content/plugins/laurent-core/.
Remediation requires implementing strict validation of user-supplied file paths. The plugin should restrict included files to a whitelist of allowed files within the plugin directory. Path traversal sequences (../) must be filtered. The plugin should use basename() functions to extract only filenames, not full paths. Input validation should occur before any file system operations. WordPress nonce verification and capability checks should also be present, though the vulnerability description suggests these were insufficient.
Successful exploitation leads to arbitrary PHP code execution on the server. Attackers can read sensitive files like wp-config.php containing database credentials. They can execute operating system commands. The vulnerability description notes attackers can combine this with file upload capabilities to include uploaded malicious files. This bypasses WordPress security controls and can result in complete site compromise, data theft, and server takeover.