Impact
The Joly theme for WordPress versions 1.22.0 and earlier contains a Local File Inclusion flaw (CWE-98). It allows an unauthenticated attacker to influence the file path used by the theme to load local files, potentially exposing sensitive data such as configuration files or user credentials. While the description does not confirm remote code execution, arbitrary file disclosure can serve as a foothold for further attacks.
Affected Systems
WordPress sites that have installed the ThemeREX Joly theme at version 1.22.0 or earlier are at risk. The vulnerability does not affect newer releases, so sites running any Joly version later than 1.22.0 are safe from this specific LFI flaw.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, and although the EPSS score is not available, the lack of requirement for authentication means that an attacker can target any publicly accessible Joly-powered site. The vulnerability is not listed in CISA’s KEV catalog. The LFI can be triggered via the theme's internal request handling, so the risk is significant for sites lacking additional web‑server file‑access controls.
OpenCVE Enrichment