プラットフォーム
wordpress
コンポーネント
bootstrap-ultimate
修正版
1.4.10
CVE-2024-13545 is a critical Local File Inclusion (LFI) vulnerability affecting the Bootstrap Ultimate WordPress theme. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of the theme up to and including 1.4.9. A patch is expected from the vendor.
The impact of CVE-2024-13545 is severe. An attacker can leverage the LFI vulnerability to include malicious PHP files, effectively gaining control over the web server's execution flow. This could involve uploading a PHP backdoor, reading sensitive configuration files (database credentials, API keys), or even executing arbitrary commands on the server. The possibility of php://filter enabling direct Remote Code Execution (RCE) significantly amplifies the risk, allowing attackers to bypass access controls and compromise the entire WordPress instance. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and execute malicious code.
CVE-2024-13545 was publicly disclosed on 2025-01-24. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation. While no public proof-of-concept (PoC) has been identified at the time of writing, the LFI nature of the vulnerability makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
WordPress websites using the Bootstrap Ultimate theme, particularly those running versions prior to the patch release, are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular access controls, making it easier for attackers to exploit the vulnerability. Websites with legacy configurations or those that haven't implemented robust security practices are also at higher risk.
• wordpress / composer / npm:
grep -r "path=". /var/www/html/wp-content/themes/bootstrap-ultimate/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/themes/bootstrap-ultimate/?path=../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'bootstrap-ultimate'• generic web:
Check access logs for requests containing suspicious path parameters like ../ or ../../ targeting the /wp-content/themes/bootstrap-ultimate/ directory.
• wordpress / composer / npm:
Use a WordPress security plugin to scan for LFI vulnerabilities and potential malicious file inclusions.
disclosure
エクスプロイト状況
EPSS
1.85% (83% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2024-13545 is to upgrade to a patched version of the Bootstrap Ultimate WordPress theme as soon as it becomes available. In the interim, several workarounds can be implemented. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path parameters. Restrict file upload permissions to prevent attackers from uploading malicious PHP files. Disable the php://filter wrapper if it is not essential for your application. Regularly scan your WordPress installation for vulnerabilities using security plugins. After upgrading, confirm the fix by attempting to access a non-existent file via the vulnerable parameter and verifying that a 404 error is returned.
Bootstrap Ultimateテーマを最新バージョンにアップデートしてください。この脆弱性は、最新バージョン以前のバージョンに存在します。アップデート方法については、テーマのドキュメントを参照してください。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2024-13545 is a critical Local File Inclusion vulnerability in the Bootstrap Ultimate WordPress theme, allowing attackers to include arbitrary PHP files and potentially execute code.
If you are using Bootstrap Ultimate WordPress theme versions 1.4.9 or earlier, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of the Bootstrap Ultimate theme. Implement WAF rules and restrict file upload permissions as interim mitigations.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for exploitation. Monitor security advisories.
Check the Bootstrap Ultimate theme's official website and WordPress plugin repository for updates and security advisories related to CVE-2024-13545.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。