CVE-2024-13545 is a critical security vulnerability identified in the Bootstrap Ultimate WordPress theme developed by eminozlem, affecting all versions up to and including 1.4.9. The vulnerability is classified as CWE-22, an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. The issue arises from insufficient validation of the 'path' parameter, which allows unauthenticated attackers to manipulate file paths and include arbitrary PHP files from the server's filesystem. This Local File Inclusion (LFI) flaw enables attackers to execute arbitrary PHP code if they can upload or otherwise place PHP files on the server. Furthermore, if the server has the php://filter wrapper enabled, attackers can leverage this to achieve Remote Code Execution (RCE) directly by filtering and including PHP code. The vulnerability does not require any authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score of 9.8 reflects the critical nature of this vulnerability, with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation and the widespread use of WordPress themes make this a significant threat. The vulnerability can lead to full system compromise, data theft, and disruption of services on affected WordPress sites.

The impact of CVE-2024-13545 is severe for organizations running WordPress sites with the vulnerable Bootstrap Ultimate theme. Exploitation can lead to unauthorized access to sensitive files, including configuration files, database credentials, and user data, severely compromising confidentiality. Attackers can execute arbitrary PHP code, potentially gaining full control over the web server and underlying infrastructure, impacting integrity and availability. This can result in website defacement, data theft, deployment of malware or ransomware, and use of compromised servers for further attacks. The lack of authentication and user interaction requirements increases the risk of automated exploitation and widespread attacks. Organizations relying on this theme for business-critical websites or e-commerce platforms face significant operational and reputational damage if exploited. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within corporate networks, escalating the overall security risk.

To mitigate CVE-2024-13545, organizations should immediately update the Bootstrap Ultimate theme to a patched version once available from the vendor. Until a patch is released, administrators should consider disabling or removing the vulnerable theme to eliminate exposure. Implement strict input validation and sanitization on the 'path' parameter to prevent path traversal attempts. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'path' parameter or attempts to include local files. Restrict file upload capabilities and ensure uploaded files are validated and stored outside the web root to prevent malicious PHP file uploads. Disable the php://filter wrapper if not required, reducing the risk of remote code execution. Regularly audit and monitor web server logs for unusual access patterns or inclusion attempts. Employ the principle of least privilege on web server file permissions to limit the impact of any successful exploitation. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.