CVE-2024-11289

Name of the Vulnerable Software and Affected Versions Soledad theme for WordPress versions up to, and including, 8.5.9

Description The Soledad theme for WordPress is vulnerable to Local File Inclusion via several functions like penci archive more post ajax func, penci more post ajax func, and penci more featured post ajax func. This makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. The exploitability of this is limited to Windows.

Recommendations For Soledad theme for WordPress versions up to, and including, 8.5.9, consider disabling the penci archive more post ajax func, penci more post ajax func, and penci more featured post ajax func functions until a patch is available. Restrict access to sensitive PHP files to minimize the risk of exploitation. Avoid using the Soledad theme for WordPress on Windows until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.