CVE-2024-10763
Published: 13 February 2025
Summary
CVE-2024-10763 is a critical-severity Path Traversal (CWE-22) vulnerability in Apuswp Campress. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.35 via the campress_woocommerce_get_ajax_products function. The flaw is tracked as CVE-2024-10763 with a CVSS 3.1 score of 9.8 and is associated with CWE-22. It enables unauthenticated inclusion and execution of arbitrary server files, which can run any PHP code present in those files.
Unauthenticated remote attackers can exploit the issue over the network to bypass access controls, read sensitive data, or obtain code execution on the server in environments where PHP files can be uploaded and subsequently included. The attack requires no user interaction or credentials.
Public references include the theme listing on ThemeForest and a detailed entry from Wordfence threat intelligence, though specific patch versions or mitigation steps are not enumerated in the available advisory data. The EPSS score has remained in a moderate range with a current value of 0.1442 and a peak of 0.1585.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4921
Vulnerability details
The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing…
more
the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress theme directly enables remote unauthenticated exploitation (T1190) leading to arbitrary PHP file inclusion/execution and RCE (T1059/T1100 web shell).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the LFI flaw in the 'campress_woocommerce_get_ajax_products' function of the Campress theme by identifying, patching, and verifying corrections.
Validates inputs to the vulnerable AJAX function to block path traversal strings, preventing arbitrary local file inclusion and PHP code execution.
Restricts inputs at the application boundary to whitelisted product or file identifiers, mitigating attempts to include unauthorized server files.