CVE-2024-13681

CVE-2024-13681 is an arbitrary file read vulnerability in the Uncode theme for WordPress, affecting all versions up to and including 2.9.1.6. The flaw arises from insufficient input validation in the 'uncode_admin_get_oembed' function, mapped to CWE-20 (Improper Input Validation). It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high confidentiality impact with network accessibility, low attack complexity, and no authentication or user interaction required.

Unauthenticated attackers can exploit this vulnerability remotely by sending crafted requests to the affected WordPress site running the vulnerable Uncode theme version. Successful exploitation allows reading arbitrary files on the server, such as sensitive configuration files, database credentials, or other confidential data stored outside the web root.

Advisories recommend mitigation through updates, as the vulnerability description limits it to versions up to 2.9.1.6. For patch details and change log information, see the vendor advisory at https://support.undsgn.com/hc/en-us/articles/213454129-Change-Log and the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7914ebe6-b5e1-4a1a-8794-80f515e6c9f6?source=cve.