Platform
wordpress
Component
designthemes-core-features
Fixed in
4.7.1
CVE-2024-13471 describes an Arbitrary File Access vulnerability within the DesignThemes Core Features plugin for WordPress. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially exposing sensitive data and system information. The vulnerability impacts versions of the plugin up to and including 4.7. A fix is available via plugin update.
The primary impact of CVE-2024-13471 is the unauthorized disclosure of sensitive files. An attacker exploiting this vulnerability could read configuration files, source code, database credentials, or any other file accessible by the web server process. This could lead to further compromise of the WordPress installation, including data breaches, privilege escalation, and potential remote code execution if sensitive files contain credentials or scripts. The ability to read arbitrary files significantly expands the attack surface and increases the potential for data exfiltration.
CVE-2024-13471 was publicly disclosed on 2025-03-05. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this date. The ease of exploitation is relatively low due to the need to identify valid file paths, but the potential impact is high.
Exploit Status
EPSS
1.53% (81% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13471 is to immediately update the DesignThemes Core Features plugin to a version that addresses the vulnerability. As there is no specific workaround, ensuring the plugin is updated is critical. Consider implementing stricter file permissions on the WordPress server to limit the impact of a potential exploit. Regularly review WordPress plugin installations and remove any unused or outdated plugins to reduce the overall attack surface. After upgrade, confirm by attempting to access a known sensitive file via the vulnerable endpoint and verifying access is denied.
Actualizar el plugin DesignThemes Core Features a una versión posterior a la 4.7. Si no hay una actualización disponible, considere deshabilitar el plugin hasta que se publique una versión corregida.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13471 is a vulnerability in the DesignThemes Core Features WordPress plugin allowing unauthenticated attackers to read arbitrary files. It has a CVSS score of 7.5 (HIGH) and affects versions up to 4.7.
You are affected if your WordPress site uses the DesignThemes Core Features plugin version 4.7 or earlier. Check your plugin versions immediately.
Update the DesignThemes Core Features plugin to the latest available version. There are no known workarounds beyond updating the plugin.
As of now, there are no confirmed reports of active exploitation, but the vulnerability is publicly known and could be targeted.
Refer to the DesignThemes website or WordPress plugin repository for the latest advisory and update information regarding CVE-2024-13471.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.