Cyber Resilience

CVE-2024-13471

High

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0095 76.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13471 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13471 affects the DesignThemes Core Features plugin for WordPress in all versions up to and including 4.7. The vulnerability stems from a missing capability check in the dt_process_imported_file function, enabling unauthorized access to data. This flaw, classified under CWE-22 (Path Traversal), allows attackers to read arbitrary files on the underlying operating system. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no privileges required.

Unauthenticated attackers can exploit this vulnerability remotely over the network without user interaction. By invoking the vulnerable function, they gain the ability to retrieve sensitive files from the server, such as configuration files, credentials, or other arbitrary data accessible to the web server process.

Advisories reference the Wordfence threat intelligence page for detailed vulnerability analysis and the ThemeForest listing for the associated LMS Learning Management System WordPress theme, which relies on the DesignThemes Core Features plugin. No specific patch details beyond updating past version 4.7 are provided in the core description.

EU & UK References

Vulnerability details

The DesignThemes Core Features plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the dt_process_imported_file function in all versions up to, and including, 4.7. This makes it possible for unauthenticated attackers to…

more

read arbitrary files on the underlying operating system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing WordPress plugin enables remote unauthenticated file reads, directly mapping to exploitation of public-facing applications (T1190) and collection of data from local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-12824Shared CWE-22
CVE-2026-25965Shared CWE-22
CVE-2025-30567Shared CWE-22
CVE-2025-27098Shared CWE-22
CVE-2024-55457Shared CWE-22
CVE-2026-35485Shared CWE-22
CVE-2024-54909Shared CWE-22
CVE-2026-3405Shared CWE-22
CVE-2025-41368Shared CWE-22
CVE-2026-23850Shared CWE-22

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly mitigating the missing capability check in the dt_process_imported_file function that allows unauthenticated arbitrary file reads.

prevent

Validates information inputs to prevent path traversal exploits like CWE-22, blocking unauthorized access to arbitrary files via manipulated inputs to the vulnerable function.

prevent

Applies least privilege to the web server process, limiting the scope of readable files even if the missing capability check is bypassed.

References