CVE-2024-13681
Published: 18 February 2025
Summary
CVE-2024-13681 is a high-severity Improper Input Validation (CWE-20) vulnerability in Undsgn Uncode. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13681 is an arbitrary file read vulnerability in the Uncode theme for WordPress, affecting all versions up to and including 2.9.1.6. The flaw arises from insufficient input validation in the 'uncode_admin_get_oembed' function, mapped to CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network accessibility, low attack complexity, and no authentication or user interaction required.
Unauthenticated attackers can exploit this vulnerability remotely by sending crafted requests to the affected WordPress site running the vulnerable Uncode theme version. Successful exploitation allows reading arbitrary files on the server, such as sensitive configuration files, database credentials, or other confidential data stored outside the web root.
Advisories recommend mitigation through updates, as the vulnerability description limits it to versions up to 2.9.1.6. For patch details and change log information, see the vendor advisory at https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7914ebe6-b5e1-4a1a-8794-80f515e6c9f6?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4806
Vulnerability details
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on…
more
the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated arbitrary file read on public-facing WordPress application maps to T1190; enables collection of local system files/credentials maps to T1005.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation (CWE-20) in the uncode_admin_get_oembed function by enforcing comprehensive checks on user-supplied inputs to prevent arbitrary file reads.
Mandates identification, reporting, and correction of the specific flaw in Uncode theme versions up to 2.9.1.6 through timely patching as recommended by vendor advisories.
Provides protections for public access points in the WordPress site to restrict unauthorized remote access and mitigate exploitation of the unauthenticated arbitrary file read vulnerability.