Current Vulnerabilities in WordPress
and Their Security Impact
Overview of Recent WordPress Vulnerabilities
In late January 2025, several critical vulnerabilities affecting various WordPress themes and plugins were disclosed. These vulnerabilities pose significant risks, including Local File Inclusion (LFI), arbitrary file uploads, and SQL injection, which could lead to unauthorized access and remote code execution. Below is a detailed examination of these vulnerabilities, their impact, and potential exploitation scenarios.CVE-2024-13545: Local File Inclusion in Bootstrap Ultimate Theme
Published: January 24, 2025Severity: 9.8 (Critical)The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion (LFI) due to improper handling of the
path parameter in all versions up to and including 1.4.9. This vulnerability allows unauthenticated attackers to include arbitrary PHP files on the server, potentially executing any PHP code within those files. If the server has php://filter enabled, this could lead directly to Remote Code Execution (RCE) .Scenario: An attacker could craft a URL that manipulates the path parameter to include sensitive PHP files from the server. For example:texthttp://example.com/wp-content/themes/bootstrap-ultimate/index.php?path=../../../../etc/passwd
CVE-2025-0357: Arbitrary File Upload in WPBookit Plugin
Published: January 24, 2025Severity: 9.8 (Critical)The WPBookit plugin is vulnerable due to insufficient file type validation in the
handle_image_upload function for versions up to and including 1.6.9. This flaw permits unauthenticated users to upload arbitrary files, which may lead to remote code execution.Scenario: An attacker could upload a malicious PHP file disguised as an image:texthttp://example.com/wp-json/wpbookit/v1/upload?file=malicious.php
CVE-2024-11936: Privilege Escalation in Zox News Theme
Published: January 26, 2025Severity: 8.8 (High)The Zox News theme suffers from a missing capability check on the
backup_options and restore_options functions in all versions up to and including 3.16.0. This vulnerability allows authenticated attackers with Subscriber-level access or higher to modify site options, potentially elevating their privileges .Scenario: An authenticated user could exploit this vulnerability to change the default user role for new registrations to Administrator, allowing them to create new admin accounts.CVE-2024-11641: CSRF in VikBooking Plugin
Published: January 26, 2025Severity: 8.8 (High)The VikBooking Hotel Booking Engine & PMS plugin is vulnerable to Cross-Site Request Forgery (CSRF) due to inadequate nonce validation in all versions up to and including 1.7.2. This allows unauthenticated attackers to alter plugin access privileges if they can trick an administrator into clicking a malicious link .Scenario: An attacker could send an email with a link that triggers a CSRF attack when clicked by an admin user, changing settings or uploading files without their consent.
CVE-2025-0682: Local File Inclusion in ThemeREX Addons Plugin
Published: January 25, 2025Severity: 8.8 (High)The ThemeREX Addons plugin is exposed to Local File Inclusion via the
trx_sc_reviews shortcode's type attribute in all versions up to and including 2.33.0. Authenticated users with contributor-level permissions can exploit this vulnerability .Scenario: An authenticated contributor could manipulate the shortcode as follows:text[trx_sc_reviews type=../../../../wp-config.php]
CVE-2024-13234: SQL Injection in Product Table by WBW Plugin
Published: January 23, 2025Severity: 7.5 (High)The Product Table by WBW plugin is vulnerable to SQL Injection through the
additionalCondition parameter in all versions up to and including 2.1.2 due to insufficient escaping of user-supplied input .Scenario: An attacker could inject SQL commands through a crafted request:texthttp://example.com/wp-json/product-table/v1/get?additionalCondition=1; DROP TABLE wp_users; --
CVE-2024-13593: Local File Inclusion in BMLT Meeting Map Plugin
Published: January 23, 2025Severity: 7.5 (High)The BMLT Meeting Map plugin is also affected by Local File Inclusion vulnerabilities similar to those described above .