CVE-2024-13790 Overview
CVE-2024-13790 is a Local File Inclusion (LFI) vulnerability affecting the MinimogWP – The High Converting eCommerce WordPress Theme for WordPress in all versions up to and including 3.7.0. The vulnerability exists in the template parameter, which fails to properly sanitize user input before including files on the server.
This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, enabling the execution of any PHP code contained in those files. Attackers can leverage this flaw to bypass access controls, obtain sensitive data, or achieve remote code execution by uploading malicious content disguised as "safe" file types like images, which can then be included and executed.
Critical Impact
Unauthenticated attackers can achieve arbitrary code execution on WordPress servers running vulnerable versions of the MinimogWP theme, potentially leading to complete server compromise.
Affected Products
- MinimogWP – The High Converting eCommerce WordPress Theme versions ≤ 3.7.0
- WordPress installations using vulnerable MinimogWP theme versions
- eCommerce websites built with MinimogWP theme
Discovery Timeline
- 2025-03-19 - CVE-2024-13790 published to NVD
- 2025-03-19 - Last updated in NVD database
Technical Details for CVE-2024-13790
Vulnerability Analysis
This Local File Inclusion vulnerability (CWE-98) stems from improper validation of the template parameter in the MinimogWP WordPress theme. The vulnerability is particularly dangerous because it requires no authentication, meaning any remote attacker can exploit it without needing valid credentials.
The attack can be executed over the network with low complexity. When successfully exploited, the vulnerability provides attackers with full control over confidentiality, integrity, and availability of the affected system. Attackers can read sensitive configuration files, execute arbitrary PHP code, and potentially pivot to other systems on the network.
Root Cause
The root cause of CVE-2024-13790 is the failure to properly sanitize or validate the template parameter before using it in file inclusion operations. The theme directly incorporates user-supplied input into file path operations without implementing adequate security controls such as:
- Input validation against an allowlist of permitted templates
- Path traversal prevention mechanisms
- File type restrictions
- Proper input sanitization to remove directory traversal sequences
This allows attackers to manipulate the template parameter to include arbitrary files from the server's filesystem, including uploaded files containing malicious PHP code.
Attack Vector
The attack vector for this vulnerability is network-based, targeting the template parameter in web requests to the WordPress site. An unauthenticated attacker can craft malicious requests that manipulate this parameter to include arbitrary files.
A typical attack scenario involves:
- The attacker uploads a file containing malicious PHP code disguised as a safe file type (e.g., an image with embedded PHP)
- The attacker crafts a request with a manipulated template parameter pointing to the uploaded malicious file
- The vulnerable theme includes and executes the malicious file, granting the attacker code execution capabilities
The vulnerability can also be exploited to include existing sensitive files on the server, such as wp-config.php, to extract database credentials and other configuration secrets.
Detection Methods for CVE-2024-13790
Indicators of Compromise
- Unusual web server log entries containing path traversal sequences (../) in the template parameter
- Unexpected file access patterns in server logs targeting configuration files or uploaded content directories
- Newly created or modified files in upload directories with PHP code embedded in image or document files
- Suspicious outbound network connections from the WordPress server
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing path traversal sequences
- Monitor web server access logs for requests with suspicious template parameter values
- Deploy file integrity monitoring to detect unauthorized changes to theme files and uploads
- Use WordPress security plugins that can detect LFI attack patterns
Monitoring Recommendations
- Enable detailed logging for all requests to the WordPress installation
- Configure alerts for requests containing directory traversal patterns (../, ..%2f, etc.)
- Monitor for unusual PHP file execution in upload directories
- Review server access logs regularly for patterns consistent with LFI exploitation attempts
How to Mitigate CVE-2024-13790
Immediate Actions Required
- Update MinimogWP theme to a version newer than 3.7.0 that addresses this vulnerability
- Review web server logs for evidence of exploitation attempts
- If unable to update immediately, disable the MinimogWP theme and switch to a secure alternative
- Implement WAF rules to block path traversal attempts targeting the template parameter
- Conduct a security audit of uploaded files for any malicious content
Patch Information
The vulnerability affects MinimogWP theme versions up to and including 3.7.0. Users should update to the latest version available from the official ThemeForest marketplace or through the ThemeMove Changelog to obtain the security fix. For detailed vulnerability information, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Deploy a Web Application Firewall (WAF) with rules to block path traversal patterns in request parameters
- Restrict file upload capabilities and implement strict file type validation
- Configure PHP open_basedir directive to limit file access to the WordPress directory
- Implement server-level access controls to prevent unauthorized file inclusion
The following .htaccess configuration can help mitigate LFI attacks by blocking common path traversal patterns:
# Block path traversal attempts
RewriteEngine On
RewriteCond %{QUERY_STRING} (\.\./) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.%2f) [NC,OR]
RewriteCond %{QUERY_STRING} (\.\.%252f) [NC]
RewriteRule .* - [F,L]
# Restrict PHP execution in uploads directory
<Directory /path/to/wordpress/wp-content/uploads>
php_admin_flag engine off
</Directory>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
