CVE-2024-3806

CRITICAL EXPLOITED RANSOMWARE

Porto theme for WordPress <7.1.0 - Local File Inclusion

Title source: llm

Description

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via the 'porto_ajax_posts' function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

Exploits (3)

nomisec WORKING POC

by RandomRobbieBF · remote

https://github.com/RandomRobbieBF/CVE-2024-3806

View Code ZIP pw:eip

inthewild

poc

https://github.com/truonghuuphuc/cve-2024-3806-and-cve-2024-3807-poc

View on inthewild

vulncheck_xdb

infoleak

https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc

View on vulncheck_xdb

References (2)

[Various Sources] https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/98ccc604-79c6-4be9-acb0-23fc82a31dfa?source=cve

Scores

CVSS v3 9.8

EPSS 0.5648

EPSS Percentile 98.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Intel

VulnCheck KEV 2025-03-19

Ransomware Use Confirmed

Classification

Status draft

Timeline

Published May 14, 2024

Tracked Since Feb 18, 2026