90k+ Users at Risk: Unauthenticated LFI Vulnerability Affects Porto Theme

The widely-used theme used by over 90,000 websites exposed to file inclusion attacks, enabling code execution and data theft – immediate updates required.

Security researcher István Márton has exposed a series of disturbing vulnerabilities within the Porto WordPress theme and its associated “Porto Theme – Functionality” plugin. These flaws, if exploited, could allow threat actors to remotely execute malicious code on affected websites, steal sensitive information, and potentially gain full control over vulnerable servers.

Four significant security flaws were identified, with two affecting the main theme and two impacting the associated plugin. These vulnerabilities all involve Local File Inclusion (LFI), a type of exploit where an attacker can control which files are included in a given execution context, leading to unauthorized actions such as code execution, data theft, or server takeover.

CVE-2024-3806 (CVSS 9.8): An unauthenticated LFI vulnerability within the porto_ajax_posts function of the Porto theme allows attackers to execute PHP code remotely without needing to authenticate, making it particularly dangerous. This vulnerability was present in all versions up to and including 7.1.0 and was patched in version 7.1.1.

CVE-2024-3807 (CVSS 8.8): This authenticated LFI vulnerability affects several post meta entries like porto_page_header_shortcode_type, slideshow_type, and post_layout. Attackers with at least contributor-level access could exploit this flaw to execute arbitrary PHP code. It was partially patched in version 7.1.0 and fully resolved in 7.1.1.

CVE-2024-3808 (CVSS 8.8): Similar to CVE-2024-3807, this vulnerability resides in the Porto Theme Functionality plugin and can be exploited via the porto_portfolios shortcode’s portfolio_layout attribute. Like the previous CVEs, it allows contributors and above to execute arbitrary code, patched in version 3.1.1.

CVE-2024-3809 (CVSS 8.8): Also in the Functionality plugin, this authenticated LFI can be exploited via the slideshow_type post meta. This flaw was addressed in the plugin update to version 3.1.0.

Website administrators using the Porto theme or Functionality plugin should take immediate action to protect their sites:

• Update Immediately: Ensure that the Porto theme and all related plugins are updated to the latest versions—7.1.1 for the theme and 3.1.1 for the Functionality plugin.
• Review Access Controls: Examine and restrict user permissions to ensure that only trusted users have contributor-level access or higher.
• Audit Website Security: Conduct a thorough audit of the website to check for any signs of compromise or unusual activity, especially if updates were not applied promptly.
• Implement Regular Security Practices: Regularly update all themes and plugins, use strong authentication methods, and apply security best practices to all aspects of website management.