CVE-2024-3807

Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta

The Porto theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 7.1.0 via 'porto_page_header_shortcode_type', 'slideshow_type' and 'post_layout' post meta. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. This was partially patched in version 7.1.0 and fully patched in version 7.1.1.

We have discovered 16,459 live websites that are affected by CVE-2024-3807.

Test my site



Affected Software

Product  Porto
Category Wordpress Themes
Vulnerable Domains16,459 live websites (66.79% of Porto install base)
Vulnerable Versions
  • from 0 through 7.1
Vulnerable Versions Count300 versions ( 88.50% of all versions)



Details

  • Published - May 9, 2024
  • Updated - Aug 1, 2024

Credits

  • István Márton (finder)

CVE-2024-3807 usage by Country

United States5,031 websites


Germany1,622 websites
France769 websites
Turkey758 websites
Russia682 websites
GB569 websites
Brazil514 websites
Italy431 websites
Netherlands418 websites
Spain382 websites

CVE-2024-3807 usage by TLD

.com6,775 websites
.com.br692 websites
.ru575 websites
.co.uk414 websites
.it385 websites
.de372 websites
.nl346 websites
.org333 websites
.net331 websites
.pl265 websites

Vulnerable Versions

Vulnerable versions are highlighted in red

Websites affected by CVE-2024-3807

Top websites that are affected by CVE-2024-3807. Please click on the "Contact us" link to get more information.
DomainCountryRankContacts
***.domains United States*,***
***********************.com United States**,***
**********.com United States**,***
********.ir Iran**,***
***************.nl Netherlands**,***
****************.com United States***,***
*********.com United States***,***
***********.org United States***,***
**************************.de Germany***,***
***********.com United States***,***
See full domain list

FAQ

A total of 16,459 websites have been identified as vulnerable to CVE-2024-3807, discovered through global website indexing conducted by WebTechSurvey.
Porto is susceptible to CVE-2024-3807 vulnerability.
Porto versions before, and including, 7.1 are vulnerable to CVE-2024-3807.