CVE-2024-3806
Published: 14 May 2024
Summary
CVE-2024-3806 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The Porto theme for WordPress is vulnerable to local file inclusion in all versions through 7.1.0. The flaw exists in the porto_ajax_posts function and permits unauthenticated inclusion and execution of arbitrary server-side files, which can lead to PHP code execution when an attacker can supply or upload a PHP file. The issue is tracked as CWE-98 and carries a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can exploit the vulnerability over the network without credentials or user interaction. Successful exploitation allows bypass of access controls, disclosure of sensitive data, or full code execution on the affected WordPress site.
The EPSS score currently stands at 0.6498 with no material increase after disclosure. Public references point to the vendor’s ThemeForest page and Wordfence threat intelligence entries, but no specific patch version or mitigation guidance is detailed in the available information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-32378
Vulnerability details
The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing…
more
the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.