Platform
wordpress
Component
campress
Fixed in
1.35.1
CVE-2024-10763 describes a critical Local File Inclusion (LFI) vulnerability affecting the Campress WordPress theme. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the Campress theme up to and including 1.35. A patch is expected to be released by the theme developers.
The impact of this LFI vulnerability is severe. An attacker can leverage it to execute arbitrary PHP code on the web server. This could involve uploading a malicious PHP file, including it via the vulnerable campresswoocommercegetajaxproducts function, and then executing the code. Successful exploitation allows attackers to bypass access controls, steal sensitive data (database credentials, API keys, user information), and potentially gain full control of the WordPress instance. The ability to execute arbitrary code opens the door to a wide range of attacks, including defacement, malware injection, and persistent backdoors. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, highlighting the importance of secure coding practices and input validation.
CVE-2024-10763 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's severity and ease of exploitation. The vulnerability's unauthenticated nature increases the likelihood of exploitation attempts. The NVD entry was published on 2025-02-13, indicating public disclosure.
Exploit Status
EPSS
0.07% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10763 is to upgrade the Campress WordPress theme to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the Campress theme to prevent exploitation. As a temporary workaround, implement strict file access controls on the WordPress server to limit the attacker's ability to include arbitrary files. Review and harden WordPress security configurations, including restricting file upload permissions and implementing a Web Application Firewall (WAF) with rules to block suspicious file inclusion attempts. Monitor WordPress logs for unusual file access patterns or PHP execution errors.
Update the Campress theme to a version later than 1.35. If an update is not available, consider disabling or replacing the theme until a patched version is released. Refer to the theme documentation for specific instructions on how to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10763 is a critical Local File Inclusion vulnerability in the Campress WordPress theme, allowing attackers to execute arbitrary code on the server.
You are affected if you are using the Campress WordPress theme version 1.35 or earlier. Upgrade immediately.
Upgrade the Campress WordPress theme to the latest patched version as soon as it's available. Temporarily disable the theme if a patch isn't immediately accessible.
While not confirmed, the vulnerability's severity and ease of exploitation suggest active exploitation is likely.
Check the Campress theme developer's website and WordPress plugin repository for updates and advisories related to CVE-2024-10763.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.