Cyber Resilience

CVE-2024-10763

Critical

Published: 13 February 2025

Published
13 February 2025
Modified
13 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0353 87.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2024-10763 is a critical-severity Path Traversal (CWE-22) vulnerability in Apuswp Campress. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.35 via the campress_woocommerce_get_ajax_products function. The flaw is tracked as CVE-2024-10763 with a CVSS 3.1 score of 9.8 and is associated with CWE-22. It enables unauthenticated inclusion and execution of arbitrary server files, which can run any PHP code present in those files.

Unauthenticated remote attackers can exploit the issue over the network to bypass access controls, read sensitive data, or obtain code execution on the server in environments where PHP files can be uploaded and subsequently included. The attack requires no user interaction or credentials.

Public references include the theme listing on ThemeForest and a detailed entry from Wordfence threat intelligence, though specific patch versions or mitigation steps are not enumerated in the available advisory data. The EPSS score has remained in a moderate range with a current value of 0.1442 and a peak of 0.1585.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Campress theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.35 via the 'campress_woocommerce_get_ajax_products' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing…

more

the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress theme directly enables remote unauthenticated exploitation (T1190) leading to arbitrary PHP file inclusion/execution and RCE (T1059/T1100 web shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32805Shared CWE-22
CVE-2026-34607Shared CWE-22
CVE-2026-41193Shared CWE-22
CVE-2024-55597Shared CWE-22
CVE-2025-69770Shared CWE-22
CVE-2026-34745Shared CWE-22
CVE-2026-0805Shared CWE-22
CVE-2025-12062Shared CWE-22
CVE-2025-8815Shared CWE-22
CVE-2025-54438Shared CWE-22

Affected Assets

apuswp
campress
≤ 1.35

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the LFI flaw in the 'campress_woocommerce_get_ajax_products' function of the Campress theme by identifying, patching, and verifying corrections.

prevent

Validates inputs to the vulnerable AJAX function to block path traversal strings, preventing arbitrary local file inclusion and PHP code execution.

prevent

Restricts inputs at the application boundary to whitelisted product or file identifiers, mitigating attempts to include unauthorized server files.

References