Cyber Resilience

CVE-2024-13790

Critical

Published: 19 March 2025

Published
19 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 61.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13790 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Thememove (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-13790 is a Local File Inclusion vulnerability (CWE-98) affecting the MinimogWP – The High Converting eCommerce WordPress Theme for WordPress in all versions up to and including 3.7.0. The flaw stems from improper handling of the 'template' parameter, which enables attackers to include and execute arbitrary files on the server, potentially leading to the execution of PHP code within those files.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, no privileges, and no user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows inclusion of arbitrary server files for PHP code execution, enabling attackers to bypass access controls, obtain sensitive data, or achieve remote code execution, particularly when combined with uploads of images or other "safe" file types containing exploitable PHP content.

Advisories and related resources, including the theme's changelog at thememove.com, the ThemeForest product page, and Wordfence's threat intelligence report, provide details on updates and mitigation steps for affected installations.

EU & UK References

Vulnerability details

The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and…

more

execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability is an unauthenticated remote LFI in a public-facing WordPress theme allowing arbitrary file inclusion and PHP code execution, directly enabling exploitation of public-facing applications (T1190), command/script execution via PHP (T1059), and access to local system files for sensitive data (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30846Shared CWE-98
CVE-2026-22389Shared CWE-98
CVE-2026-32384Shared CWE-98
CVE-2025-30829Shared CWE-98
CVE-2025-68537Shared CWE-98
CVE-2026-28079Shared CWE-98
CVE-2026-28061Shared CWE-98
CVE-2026-28048Shared CWE-98
CVE-2026-22516Shared CWE-98
CVE-2026-28120Shared CWE-98

Affected Assets

Thememove
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the LFI flaw in the MinimogWP WordPress theme by requiring timely patching of versions up to 3.7.0 as per vendor advisories.

prevent

Validates the 'template' parameter to prevent path traversal and arbitrary file inclusion leading to PHP code execution.

prevent

Restricts the 'template' parameter to only authorized safe values, blocking unauthenticated attempts to include arbitrary server files.

References