CVE-2024-13790
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform Local File Inclusion (LFI) in the MinimogWP WordPress theme by manipulating the 'template' parameter. Attackers can include and execute arbitrary PHP files on the server, potentially leading to remote code execution, data theft, or access control bypass. All WordPress sites using MinimogWP theme versions up to 3.7.0 are affected.
💻 Affected Systems
- MinimogWP – The High Converting eCommerce WordPress Theme
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise with remote code execution, sensitive data exfiltration, and persistent backdoor installation.
Likely Case
Unauthenticated attackers achieve remote code execution by uploading malicious files (e.g., disguised as images) and including them via the vulnerable parameter.
If Mitigated
Attackers can still read sensitive server files but cannot execute code if file uploads are strictly controlled and PHP execution is disabled in upload directories.
🎯 Exploit Status
Exploitation is straightforward via HTTP requests to the vulnerable endpoint with crafted 'template' parameter. Public exploit details exist in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.1 or later
Vendor Advisory: https://changelog.thememove.com/minimog-wp/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Update MinimogWP theme to version 3.7.1 or later. 4. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Disable vulnerable endpoint via .htaccess
linuxBlock access to the vulnerable PHP file if known specific endpoint
<Files "vulnerable-file.php">
Order Allow,Deny
Deny from all
</Files>
Restrict file uploads
allTemporarily disable file uploads or restrict to specific safe extensions
# In wp-config.php add: define('ALLOW_UNFILTERED_UPLOADS', false);
🧯 If You Can't Patch
- Immediately disable or switch to a different WordPress theme
- Implement web application firewall (WAF) rules to block requests containing 'template' parameter with path traversal sequences
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes for MinimogWP version. If version is 3.7.0 or lower, system is vulnerable.Check Version:
wp theme list --field=name,version --path=/path/to/wordpress | grep minimogVerify Fix Applied:
Confirm MinimogWP theme version is 3.7.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'template' parameter with path traversal sequences (../, ..\, %2e%2e%2f)
- Requests to theme PHP files with unusual parameters
- File inclusion errors in web server logs
Network Indicators:
- Unusual POST/GET requests to theme files with 'template' parameter
- Multiple failed inclusion attempts followed by successful file inclusion
SIEM Query:
web_access_logs WHERE url CONTAINS 'template' AND (url CONTAINS '../' OR url CONTAINS '..\' OR url CONTAINS '%2e%2e%2f')