Impact
The Neuronet WordPress theme versions prior to 1.14.0 contain an unauthenticated local file inclusion flaw that can be exploited by manipulating a parameter that is not properly validated before being passed to an include operation. An attacker with access to the site can request arbitrary files from the server’s file system, potentially exposing configuration data, credentials, or code. If an executable file is included, remote code execution on the host may be achieved.
Affected Systems
All WordPress sites that use the Neuronet theme from ThemeREX with a version lower than 1.14.0 are vulnerable; no additional version qualifiers are provided beyond the cutoff of 1.14.0.
Risk and Exploitability
The vulnerability has a CVSS score of 8.1 and an unavailable EPSS score, and it is not listed in CISA’s KEV catalog. Exploitation requires no authentication but relies on a crafted request that specifies a path relative to the web root. The attack scope is limited to files accessible under the web server’s document root, yet the ability to read or execute sensitive files presents a significant risk.
OpenCVE Enrichment