Platform
wordpress
Component
bootstrap-ultimate
Opgelost in
1.4.10
CVE-2024-13545 is a critical Local File Inclusion (LFI) vulnerability affecting the Bootstrap Ultimate WordPress theme. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive data exposure or remote code execution. The vulnerability impacts versions of the theme up to and including 1.4.9. A patch is expected from the vendor.
The impact of CVE-2024-13545 is severe. An attacker can leverage the LFI vulnerability to include malicious PHP files, effectively gaining control over the web server's execution flow. This could involve uploading a PHP backdoor, reading sensitive configuration files (database credentials, API keys), or even executing arbitrary commands on the server. The possibility of php://filter enabling direct Remote Code Execution (RCE) significantly amplifies the risk, allowing attackers to bypass access controls and compromise the entire WordPress instance. This vulnerability shares similarities with other LFI exploits where attackers leverage file inclusion to gain unauthorized access and execute malicious code.
CVE-2024-13545 was publicly disclosed on 2025-01-24. The vulnerability's criticality (CVSS 9.8) and ease of exploitation suggest a medium probability of exploitation. While no public proof-of-concept (PoC) has been identified at the time of writing, the LFI nature of the vulnerability makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
WordPress websites using the Bootstrap Ultimate theme, particularly those running versions prior to the patch release, are at significant risk. Shared hosting environments are especially vulnerable as they often lack granular access controls, making it easier for attackers to exploit the vulnerability. Websites with legacy configurations or those that haven't implemented robust security practices are also at higher risk.
• wordpress / composer / npm:
grep -r "path=". /var/www/html/wp-content/themes/bootstrap-ultimate/• generic web:
curl -I 'http://your-wordpress-site.com/wp-content/themes/bootstrap-ultimate/?path=../../../../etc/passwd'• wordpress / composer / npm:
wp plugin list --status=inactive | grep 'bootstrap-ultimate'• generic web:
Check access logs for requests containing suspicious path parameters like ../ or ../../ targeting the /wp-content/themes/bootstrap-ultimate/ directory.
• wordpress / composer / npm:
Use a WordPress security plugin to scan for LFI vulnerabilities and potential malicious file inclusions.
disclosure
Exploit Status
EPSS
1.85% (83% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-13545 is to upgrade to a patched version of the Bootstrap Ultimate WordPress theme as soon as it becomes available. In the interim, several workarounds can be implemented. A Web Application Firewall (WAF) can be configured to block requests containing suspicious path parameters. Restrict file upload permissions to prevent attackers from uploading malicious PHP files. Disable the php://filter wrapper if it is not essential for your application. Regularly scan your WordPress installation for vulnerabilities using security plugins. After upgrading, confirm the fix by attempting to access a non-existent file via the vulnerable parameter and verifying that a 404 error is returned.
Werk het Bootstrap Ultimate thema bij naar de laatste beschikbare versie. De kwetsbaarheid is aanwezig in eerdere versies dan de meest recente. Raadpleeg de themadocumentatie voor instructies over hoe de update uit te voeren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-13545 is a critical Local File Inclusion vulnerability in the Bootstrap Ultimate WordPress theme, allowing attackers to include arbitrary PHP files and potentially execute code.
If you are using Bootstrap Ultimate WordPress theme versions 1.4.9 or earlier, you are potentially affected by this vulnerability. Upgrade as soon as a patch is available.
The primary fix is to upgrade to a patched version of the Bootstrap Ultimate theme. Implement WAF rules and restrict file upload permissions as interim mitigations.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for exploitation. Monitor security advisories.
Check the Bootstrap Ultimate theme's official website and WordPress plugin repository for updates and security advisories related to CVE-2024-13545.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.