Platform
wordpress
Component
infusionsoft-official-opt-in-forms
Fixed in
2.0.2
CVE-2024-13725 is a critical Local File Inclusion (LFI) vulnerability affecting the Keap Official Opt-in Forms plugin for WordPress. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to code execution and significant compromise. The vulnerability impacts versions of the plugin up to and including 2.0.1. A patch is expected to be released by the vendor.
The impact of CVE-2024-13725 is severe due to the potential for arbitrary code execution. An attacker can leverage the LFI vulnerability to include malicious PHP files, effectively gaining control over the web server. This could lead to data breaches, defacement of the website, or even complete server takeover. The description highlights a particularly concerning scenario: if registerargcargv is enabled and pearcmd.php is present, the vulnerability could be exploited for Remote Code Execution (RCE), significantly expanding the attack surface. The ability to upload and include PHP files is a key prerequisite for exploitation, but the potential consequences are substantial.
CVE-2024-13725 was publicly disclosed on 2025-02-18. Public proof-of-concept (PoC) code is likely to emerge given the ease of exploitation associated with LFI vulnerabilities. The CRITICAL CVSS score indicates a high probability of exploitation. Active campaigns targeting WordPress plugins are common, so this vulnerability is likely to attract attention from malicious actors.
Exploit Status
EPSS
0.43% (63% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-13725 is to upgrade the Keap Official Opt-in Forms plugin to a version containing the fix. Until a patch is available, consider disabling the plugin entirely to prevent exploitation. If disabling the plugin is not feasible, implement strict file access controls on the WordPress server to prevent attackers from uploading malicious PHP files. Web Application Firewalls (WAFs) configured to detect and block attempts to include arbitrary files can provide an additional layer of defense. Monitor WordPress access logs for suspicious file inclusion attempts, particularly those targeting the service parameter.
Update the Keap Official Opt-in Forms plugin to the latest available version. The vulnerability exists in versions prior to the most recent. This will resolve the local file inclusion issue.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-13725 is a critical Local File Inclusion vulnerability in the Keap Official Opt-in Forms WordPress plugin, allowing attackers to include arbitrary PHP files and potentially execute code.
You are affected if you are using Keap Official Opt-in Forms plugin versions 2.0.1 or earlier. Upgrade immediately to mitigate the risk.
Upgrade the Keap Official Opt-in Forms plugin to the latest version containing the fix. If upgrading is not immediately possible, disable the plugin or implement file access controls.
While active exploitation is not yet confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of exploitation in the near future.
Refer to the Keap website and WordPress plugin repository for official advisories and updates regarding CVE-2024-13725.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.