Cyber Resilience

CVE-2024-13681

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0030 53.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13681 is a high-severity Improper Input Validation (CWE-20) vulnerability in Undsgn Uncode. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13681 is an arbitrary file read vulnerability in the Uncode theme for WordPress, affecting all versions up to and including 2.9.1.6. The flaw arises from insufficient input validation in the 'uncode_admin_get_oembed' function, mapped to CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network accessibility, low attack complexity, and no authentication or user interaction required.

Unauthenticated attackers can exploit this vulnerability remotely by sending crafted requests to the affected WordPress site running the vulnerable Uncode theme version. Successful exploitation allows reading arbitrary files on the server, such as sensitive configuration files, database credentials, or other confidential data stored outside the web root.

Advisories recommend mitigation through updates, as the vulnerability description limits it to versions up to 2.9.1.6. For patch details and change log information, see the vendor advisory at https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7914ebe6-b5e1-4a1a-8794-80f515e6c9f6?source=cve.

EU & UK References

Vulnerability details

The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on…

more

the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Direct remote unauthenticated arbitrary file read on public-facing WordPress application maps to T1190; enables collection of local system files/credentials maps to T1005.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1022Shared CWE-20
CVE-2025-50151Shared CWE-20
CVE-2026-22444Shared CWE-20
CVE-2026-21858Shared CWE-20
CVE-2025-1026Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2025-29847Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20

Affected Assets

undsgn
uncode
≤ 2.9.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper input validation (CWE-20) in the uncode_admin_get_oembed function by enforcing comprehensive checks on user-supplied inputs to prevent arbitrary file reads.

prevent

Mandates identification, reporting, and correction of the specific flaw in Uncode theme versions up to 2.9.1.6 through timely patching as recommended by vendor advisories.

prevent

Provides protections for public access points in the WordPress site to restrict unauthorized remote access and mitigate exploitation of the unauthenticated arbitrary file read vulnerability.

References