Impact
An unauthenticated attacker can trigger a local file inclusion flaw in the Geya WordPress theme up to version 1.15. The vulnerability allows reading arbitrary files from the server’s file system, which could expose configuration files, stored credentials, or other sensitive information that may aid further attacks. This weakness is classified as CWE-98.
Affected Systems
The issue affects the Geya theme from ThemeREX Group, specifically all releases up to and including 1.15 when used in a WordPress environment.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a specially crafted request that causes the theme to include a local file path, and no authentication is required. While the potential to read sensitive files is significant, the concrete impact depends on the attacker’s ability to locate valuable files within the site’s file system.
OpenCVE Enrichment