CVE-2024-3808

Name of the Vulnerable Software and Affected Versions The Porto Theme - Functionality plugin for WordPress versions up to, and including, 3.1.0

Description The issue allows authenticated attackers with contributor-level and above permissions to include and execute arbitrary files on the server via the 'porto portfolios' shortcode 'portfolio layout' attribute. This can lead to bypassing access controls, obtaining sensitive data, or achieving code execution in cases where PHP file types can be uploaded and included.

Recommendations For versions up to, and including, 3.1.0, update to a version later than 3.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the 'porto portfolios' shortcode and limiting the ability to upload PHP files to minimize the risk of exploitation.