Unauthenticated Local File Inclusion Vulnerability in Soledad Theme Affects WordPress Versions Up to 8.5.9
CVE-2024-11289

8.1HIGH

Key Information:

Vendor: Wordpress
Status: Soledad
Vendor: CVE Published:; 6 December 2024

Summary

The Soledad theme for WordPress has a local file inclusion vulnerability that affects all versions up to and including 8.5.9. Several functions, such as penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_func, are susceptible to exploitation by unauthenticated attackers. This vulnerability allows the inclusion and execution of PHP files on the server, potentially leading to the execution of arbitrary PHP code. Attackers can leverage this issue to bypass access controls, access sensitive information, or achieve code execution when PHP files are uploaded and included. This vulnerability primarily affects Windows environments.

Affected Version(s)

Soledad * <= 8.5.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/soledad-multiconcept-blogmag...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 6, 2024
Vulnerability Reserved
Nov 15, 2024

Credit

Friderika Baranyai