Plateforme
wordpress
Composant
campress
Corrigé dans
1.35.1
CVE-2024-10763 describes a critical Local File Inclusion (LFI) vulnerability affecting the Campress WordPress theme. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to complete system compromise. The vulnerability impacts versions of the Campress theme up to and including 1.35. A patch is expected to be released by the theme developers.
The impact of this LFI vulnerability is severe. An attacker can leverage it to execute arbitrary PHP code on the web server. This could involve uploading a malicious PHP file, including it via the vulnerable campresswoocommercegetajaxproducts function, and then executing the code. Successful exploitation allows attackers to bypass access controls, steal sensitive data (database credentials, API keys, user information), and potentially gain full control of the WordPress instance. The ability to execute arbitrary code opens the door to a wide range of attacks, including defacement, malware injection, and persistent backdoors. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain code execution, highlighting the importance of secure coding practices and input validation.
CVE-2024-10763 is currently not listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's severity and ease of exploitation. The vulnerability's unauthenticated nature increases the likelihood of exploitation attempts. The NVD entry was published on 2025-02-13, indicating public disclosure.
WordPress websites using the Campress theme, particularly those with default or weak security configurations, are at significant risk. Shared hosting environments where multiple WordPress instances share the same server are especially vulnerable, as a compromise of one site could potentially lead to the compromise of others. Sites that have not implemented robust file access controls are also at increased risk.
• wordpress / composer / npm:
grep -r 'campress_woocommerce_get_ajax_products' /var/www/html/wp-content/themes/campress/• generic web:
curl -I https://your-wordpress-site.com/wp-content/themes/campress/ | grep -i 'campress_woocommerce_get_ajax_products'• wordpress / composer / npm:
wp plugin list | grep campressdisclosure
Statut de l'Exploit
EPSS
0.07% (percentile 20%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-10763 is to upgrade the Campress WordPress theme to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the Campress theme to prevent exploitation. As a temporary workaround, implement strict file access controls on the WordPress server to limit the attacker's ability to include arbitrary files. Review and harden WordPress security configurations, including restricting file upload permissions and implementing a Web Application Firewall (WAF) with rules to block suspicious file inclusion attempts. Monitor WordPress logs for unusual file access patterns or PHP execution errors.
Mettez à jour le thème Campress à une version postérieure à la 1.35. Si aucune mise à jour n'est disponible, envisagez de désactiver ou de remplacer le thème jusqu'à ce qu'une version corrigée soit publiée. Consultez la documentation du thème pour obtenir des instructions spécifiques sur la façon de procéder à la mise à jour.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-10763 is a critical Local File Inclusion vulnerability in the Campress WordPress theme, allowing attackers to execute arbitrary code on the server.
You are affected if you are using the Campress WordPress theme version 1.35 or earlier. Upgrade immediately.
Upgrade the Campress WordPress theme to the latest patched version as soon as it's available. Temporarily disable the theme if a patch isn't immediately accessible.
While not confirmed, the vulnerability's severity and ease of exploitation suggest active exploitation is likely.
Check the Campress theme developer's website and WordPress plugin repository for updates and advisories related to CVE-2024-10763.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.