Local File Inclusion Vulnerability in Bootstrap Ultimate Theme for WordPress
CVE-2024-13545

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Bootstrap Ultimate
Vendor: CVE Published:; 24 January 2025

Summary

The Bootstrap Ultimate theme for WordPress is subject to a Local File Inclusion vulnerability, affecting all versions up to and including 1.4.9. This flaw enables unauthenticated attackers to exploit the path parameter, which can lead to the inclusion of arbitrary PHP files from the server. By successfully leveraging this vulnerability, an attacker could bypass access controls, gain access to sensitive data, and even execute malicious PHP code. Moreover, if the php://filter wrapper is activated on the server, this vulnerability could facilitate direct Remote Code Execution, further amplifying the threat. Website owners are advised to patch the vulnerability by upgrading to the latest version of the Bootstrap Ultimate theme.

Affected Version(s)

Bootstrap Ultimate * <= 1.4.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themes.trac.wordpress.org/browser/bootstrap-ultim...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 24, 2025
Vulnerability Reserved
Jan 20, 2025

Credit

Aril Aprilio