CVE-2024-13725 Overview
The Keap Official Opt-in Forms plugin for WordPress contains a critical Local File Inclusion (LFI) vulnerability affecting all versions up to and including 2.0.1. The vulnerability exists in the service parameter handling, which allows unauthenticated attackers to include arbitrary PHP files on the server. This flaw enables execution of any PHP code present in those files, potentially leading to complete site compromise.
Critical Impact
Unauthenticated attackers can exploit this vulnerability to bypass access controls, steal sensitive data, or achieve Remote Code Execution if register_argc_argv is enabled and pearcmd.php is installed on the server.
Affected Products
- Keap Official Opt-in Forms plugin for WordPress versions ≤ 2.0.1
- WordPress installations using the vulnerable plugin (also known as Infusionsoft Official Opt-in Forms)
- Servers with register_argc_argv enabled and pearcmd.php installed (elevated RCE risk)
Discovery Timeline
- 2025-02-18 - CVE CVE-2024-13725 published to NVD
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-13725
Vulnerability Analysis
This Local File Inclusion vulnerability stems from improper input validation in the WordPress plugin's request handling logic. The service parameter accepts user-controlled input that is used to construct file paths for PHP file inclusion without adequate sanitization. Because the vulnerability is accessible without authentication, any remote attacker can craft malicious requests to include arbitrary PHP files that exist on the server.
The attack surface is significantly expanded when certain server configurations are present. If the PHP directive register_argc_argv is enabled and the PEAR package manager's pearcmd.php file is accessible, attackers can leverage this LFI vulnerability to achieve Remote Code Execution through a technique known as "pearcmd exploitation." This technique abuses PEAR's command-line interface functionality to write arbitrary PHP files to the webroot.
Root Cause
The root cause is a path traversal vulnerability (CWE-22) in the plugin's file inclusion mechanism. The vulnerable code fails to properly validate and sanitize the service parameter before using it in a file inclusion operation. This allows attackers to use directory traversal sequences (such as ../) to escape the intended directory and include files from arbitrary locations on the filesystem.
The vulnerable code can be reviewed in the WordPress Plugin Source Code, specifically around line 2540 in infusionsoft.php.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can send specially crafted HTTP requests to a WordPress site running the vulnerable plugin. The service parameter is manipulated to include directory traversal sequences that navigate to sensitive PHP files on the server.
In the most severe scenario, when register_argc_argv is enabled and pearcmd.php is accessible, the attacker can chain this LFI with PEAR command injection to write a malicious PHP webshell to the server, achieving full Remote Code Execution. This transforms a file inclusion vulnerability into complete server compromise.
The exploitation does not require any authenticated session, making it trivially exploitable by any attacker who can reach the WordPress installation over the network.
Detection Methods for CVE-2024-13725
Indicators of Compromise
- Unusual HTTP requests to the Keap/Infusionsoft plugin endpoints containing ../ sequences or references to system files
- Web server access logs showing requests with the service parameter containing path traversal patterns
- Unexpected PHP files appearing in the webroot or plugin directories
- Evidence of pearcmd.php access in server logs if RCE was attempted
- Suspicious outbound network connections from the web server following exploitation
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts in request parameters
- Monitor web server logs for requests containing directory traversal sequences (../, ..%2f, etc.) targeting plugin endpoints
- Deploy file integrity monitoring on WordPress installations to detect unauthorized file modifications
- Configure intrusion detection systems to alert on LFI attack patterns targeting WordPress plugins
Monitoring Recommendations
- Enable verbose logging for WordPress and the web server to capture detailed request information
- Set up alerts for any access attempts to pearcmd.php or similar PEAR-related files
- Monitor for new or modified PHP files in the WordPress installation directory
- Review access logs regularly for patterns consistent with automated vulnerability scanning
How to Mitigate CVE-2024-13725
Immediate Actions Required
- Update the Keap Official Opt-in Forms plugin to a patched version immediately if available
- If no patch is available, deactivate and remove the plugin until a fix is released
- Audit web server logs for any evidence of exploitation attempts
- Disable register_argc_argv in PHP configuration if not required by applications
- Restrict or remove access to pearcmd.php and other PEAR command-line utilities
Patch Information
Organizations using the Keap Official Opt-in Forms plugin should check the WordPress Plugin Page for the latest version and security updates. The Wordfence Vulnerability Report provides additional details about affected versions and remediation guidance.
Workarounds
- Disable the Keap Official Opt-in Forms plugin until a patched version is available
- Implement WAF rules to block requests containing path traversal sequences targeting the plugin
- Set register_argc_argv = Off in php.ini to prevent the pearcmd RCE escalation path
- Remove or restrict access to PEAR command-line tools (pearcmd.php, peclcmd.php)
- Apply principle of least privilege to web server file system permissions
# Configuration example - Disable register_argc_argv in PHP
# Add to php.ini or PHP configuration file
register_argc_argv = Off
# Restrict access to PEAR files via Apache
# Add to .htaccess or Apache configuration
<FilesMatch "^(pearcmd|peclcmd)\.php$">
Require all denied
</FilesMatch>
# Nginx configuration to block PEAR files
location ~ /(pearcmd|peclcmd)\.php$ {
deny all;
return 404;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
