Impact
The HomeRoofer WordPress theme contains an unauthenticated Local File Inclusion flaw that allows an attacker to read files from the web server’s file system. Because no authentication is required, a malicious actor can supply a crafted request that forces the theme to include a file path supplied by the attacker. The primary impact is potential disclosure of sensitive information, such as configuration files or content that could be leveraged for further attacks.
Affected Systems
The vulnerability exists in ThemeREX HomeRoofer WordPress theme versions up to and including 2.11.0. Any WordPress site that is running one of these legacy theme releases is at risk.
Risk and Exploitability
The CVSS score of 8.1 marks this flaw as High, reflecting the significant impact of read access to server files. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits at the time of this analysis. However, the attack surface is internal to the site and requires only the ability to construct a URL that includes the vulnerable parameter, making exploitation relatively straightforward for anyone who can visit the affected site.
OpenCVE Enrichment