CVE-2024-3807: 
WordPress vulnerability analysis and mitigation

The Porto WordPress theme contains a Local File Inclusion (LFI) vulnerability in all versions up to and including 7.1.0. The vulnerability exists in the handling of 'portopageheadershortcodetype', 'slideshowtype', and 'postlayout' post meta entries (NVD). This security flaw was discovered in early 2024 and was partially patched in version 7.1.0 and fully patched in version 7.1.1.

The vulnerability allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server. This enables the execution of any PHP code contained within those files. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Security Online).

The vulnerability can be exploited to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. With over 90,000 websites using the Porto theme, the potential impact is significant (Security Online).

Users should immediately update to Porto theme version 7.1.1 which contains the complete fix for this vulnerability. The vulnerability was partially addressed in version 7.1.0, but the full patch is only available in version 7.1.1 (NVD).