CVE-2024-12811
Published: 28 February 2025
Summary
CVE-2024-12811 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Travelerwp (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-12811 is a Local File Inclusion vulnerability (CWE-98) affecting the Traveler theme for WordPress in all versions up to and including 3.1.9. The flaw exists via shortcodes, enabling the inclusion and execution of arbitrary files on the server. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-28.
Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of PHP code in included files, which can bypass access controls, obtain sensitive data, or achieve remote code execution if PHP files are uploadable and includable.
Mitigation details are provided in the vendor's changelog at https://travelerwp.com/traveler-changelog/ and the Wordfence threat intelligence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a09298b3-3b5c-4a92-9332-79ff83234479?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53953
Vulnerability details
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.9 via shortcodes. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on…
more
the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress theme directly enables T1190 exploitation for initial access and arbitrary PHP file execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires identification, reporting, and timely correction of the LFI flaw in the Traveler theme, directly mitigating the CVE through patching as noted in vendor changelog.
Mandates validation of shortcode inputs to ensure they conform to expected syntax and semantics, preventing arbitrary file inclusion and PHP execution.
Enforces least privilege by restricting contributor-level and higher permissions, limiting the authenticated users able to exploit the shortcode vulnerability.