Cyber Resilience

CVE-2024-12811

High

Published: 28 February 2025

Published
28 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12811 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Travelerwp (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12811 is a Local File Inclusion vulnerability (CWE-98) affecting the Traveler theme for WordPress in all versions up to and including 3.1.9. The flaw exists via shortcodes, enabling the inclusion and execution of arbitrary files on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-28.

Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of PHP code in included files, which can bypass access controls, obtain sensitive data, or achieve remote code execution if PHP files are uploadable and includable.

Mitigation details are provided in the vendor's changelog at https://travelerwp.com/traveler-changelog/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a09298b3-3b5c-4a92-9332-79ff83234479?source=cve.

EU & UK References

Vulnerability details

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.9 via shortcodes. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on…

more

the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

LFI in public-facing WordPress theme directly enables T1190 exploitation for initial access and arbitrary PHP file execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53248Shared CWE-98
CVE-2025-67934Shared CWE-98
CVE-2025-30831Shared CWE-98
CVE-2025-1707Shared CWE-98
CVE-2026-25027Shared CWE-98
CVE-2025-27272Shared CWE-98
CVE-2024-13790Shared CWE-98
CVE-2025-30846Shared CWE-98
CVE-2026-22389Shared CWE-98
CVE-2026-32384Shared CWE-98

Affected Assets

Travelerwp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires identification, reporting, and timely correction of the LFI flaw in the Traveler theme, directly mitigating the CVE through patching as noted in vendor changelog.

prevent

Mandates validation of shortcode inputs to ensure they conform to expected syntax and semantics, preventing arbitrary file inclusion and PHP execution.

prevent

Enforces least privilege by restricting contributor-level and higher permissions, limiting the authenticated users able to exploit the shortcode vulnerability.

References