Porto theme vulnerable to Local File Inclusion
CVE-2024-3807

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Porto
Vendor: CVE Published:; 14 May 2024

Summary

The Porto theme for WordPress contains a vulnerability that allows authenticated attackers, with contributor-level permissions and above, to perform Local File Inclusion (LFI) attacks. This vulnerability is triggered through the 'porto_page_header_shortcode_type', 'slideshow_type', and 'post_layout' post meta parameters, which enable the inclusion and execution of arbitrary files on the server. If exploited, attackers can bypass access controls, gain unauthorized access to sensitive data, and execute any PHP code contained within the included files. While this vulnerability was partially addressed in version 7.1.0, it received a full patch in version 7.1.1.

Affected Version(s)

Porto * <= 7.1.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/porto-responsive-wordpress-e...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Apr 15, 2024

Credit

István Márton