CVE-2024-13545: 
WordPress vulnerability analysis and mitigation

The Bootstrap Ultimate theme for WordPress contains a Local File Inclusion vulnerability (CVE-2024-13545) affecting all versions up to and including 1.4.9. The vulnerability was discovered by security researcher Aril Aprilio (forsak3n) and was publicly disclosed on January 23, 2025 (Wordfence, NVD).

The vulnerability exists in the path parameter implementation of the theme, allowing for Local File Inclusion attacks. The issue has received a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a highly severe vulnerability that requires no privileges or user interaction to exploit (NVD).

The vulnerability allows unauthenticated attackers to include PHP files on the server, potentially leading to the execution of arbitrary PHP code contained within those files. This can result in unauthorized access control bypass, sensitive data exposure, and potential remote code execution if php://filter is enabled on the server (NVD).

Users running affected versions of the Bootstrap Ultimate theme (versions up to 1.4.9) should update to a patched version as soon as it becomes available. In the meantime, considering the severity of the vulnerability, users should consider temporarily disabling the theme (NVD).