Cyber Resilience

CVE-2024-13787

CriticalRCE

Published: 05 March 2025

Published
05 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 53.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13787 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13787 is a PHP Object Injection vulnerability (CWE-502) affecting the VEDA - MultiPurpose WordPress Theme for WordPress in all versions up to and including 4.2. The flaw stems from deserialization of untrusted input within the 'veda_backup_and_restore_action' function, enabling the injection of a PHP Object. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to inject a PHP Object. While no known PHP Object Injection (POP) chain exists in the vulnerable theme itself—meaning it has no direct impact unless another plugin or theme providing a POP chain is installed—the presence of such a chain could allow attackers to delete arbitrary files, retrieve sensitive data, or execute arbitrary code, depending on the chain's capabilities.

Advisories and additional details are available via references including the theme's page on ThemeForest (https://themeforest.net/item/veda-multipurpose-theme/15860489) and Wordfence's threat intelligence report (https://www.wordfence.com/threat-intel/vulnerabilities/id/d0966138-b28b-4c03-a2cf-b51c5f478276?source=cve). Practitioners should consult these for any patch information or mitigation guidance specific to the theme.

EU & UK References

Vulnerability details

The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with…

more

Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Deserialization vulnerability in public-facing WordPress theme enables exploitation for potential RCE/data access/file ops if POP chain present from other components.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13770Shared CWE-502
CVE-2026-27303Shared CWE-502
CVE-2025-53586Shared CWE-502
CVE-2025-64353Shared CWE-502
CVE-2025-31047Shared CWE-502
CVE-2026-27096Shared CWE-502
CVE-2023-49886Shared CWE-502
CVE-2026-23542Shared CWE-502
CVE-2025-66631Shared CWE-502
CVE-2026-40044Shared CWE-502

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by identifying, reporting, and correcting the insecure deserialization flaw in the VEDA theme's veda_backup_and_restore_action function.

prevent

Prevents PHP object injection by implementing input validation and error handling on untrusted data deserialized by the vulnerable backup and restore function.

detect

Detects the presence of CVE-2024-13787 in the VEDA WordPress theme through vulnerability scanning, enabling proactive patching before exploitation.

References