CVE-2024-13790
Published: 19 March 2025
Description
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Security Summary
CVE-2024-13790 is a Local File Inclusion vulnerability (CWE-98) affecting the MinimogWP – The High Converting eCommerce WordPress Theme for WordPress in all versions up to and including 3.7.0. The flaw stems from improper handling of the 'template' parameter, which enables attackers to include and execute arbitrary files on the server, potentially leading to the execution of PHP code within those files.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, no privileges, and no user interaction, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Exploitation allows inclusion of arbitrary server files for PHP code execution, enabling attackers to bypass access controls, obtain sensitive data, or achieve remote code execution, particularly when combined with uploads of images or other "safe" file types containing exploitable PHP content.
Advisories and related resources, including the theme's changelog at thememove.com, the ThemeForest product page, and Wordfence's threat intelligence report, provide details on updates and mitigation steps for affected installations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an unauthenticated remote LFI in a public-facing WordPress theme allowing arbitrary file inclusion and PHP code execution, directly enabling exploitation of public-facing applications (T1190), command/script execution via PHP (T1059), and access to local system files for sensitive data (T1005).