CVE-2024-3807

Name of the Vulnerable Software and Affected Versions Porto theme for WordPress versions up to and including 7.1.0

Description The issue allows authenticated attackers with contributor-level and above permissions to include and execute arbitrary files on the server. This is achieved via the porto page header shortcode type, slideshow type, and post layout post meta. The exploitation of this issue can lead to bypassing access controls, obtaining sensitive data, or achieving code execution in cases where PHP file types can be uploaded and included.

Recommendations For versions up to and including 7.1.0, update to version 7.1.1 to fully patch the issue. As a temporary workaround, consider restricting access to the porto page header shortcode type, slideshow type, and post layout post meta to minimize the risk of exploitation.