Cyber Resilience

CVE-2024-3807

High

Published: 14 May 2024

Published
14 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0728 91.8th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3807 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Porto theme for WordPress is vulnerable to local file inclusion in all versions through 7.1.0. The flaw exists in the handling of the porto_page_header_shortcode_type, slideshow_type, and post_layout post-meta fields, which accept attacker-controlled values that are passed directly to file-inclusion operations. Successful exploitation permits an authenticated user to load and execute arbitrary PHP files present on the server.

An attacker with contributor-level or higher privileges can supply malicious meta values when creating or editing posts. This allows inclusion of any readable file, bypassing access controls to read sensitive data or, when a PHP file can be uploaded, achieving remote code execution with the privileges of the web server.

The vendor partially addressed the issue in version 7.1.0 and completed remediation in 7.1.1. Security advisories therefore recommend immediate upgrade to 7.1.1 or later; no other configuration work-arounds are documented in the available references.

EPSS remains flat at 0.0728 with no observed increase after disclosure.

EU & UK References

Vulnerability details

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include…

more

and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References