Impact
An unauthenticated Local File Inclusion flaw (CWE‑98) exists in WordPress Lighthouse theme versions 1.2.12 and earlier. The vulnerability allows an attacker to craft a request that causes the theme to read and output arbitrary files residing on the server, potentially exposing sensitive configuration data, credentials, or other confidential information. This can lead to a full compromise of the site’s integrity and confidentiality.
Affected Systems
Any WordPress installation using the AncoraThemes Lighthouse theme with a version equal to or lower than 1.2.12 is vulnerable. The issue has not been reported for newer releases beyond 1.2.12.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. EPSS data is not available and the vulnerability is not yet listed in the CISA KEV catalog, but the lack of restrictions on authentication means the attack is trivially exploitable by anyone who can access the web server. An attacker would simply craft a request pointing to the vulnerable template the desired content.
OpenCVE Enrichment