Impact
The Hyori theme contains an improper filename control for include/require statements in PHP, allowing attackers to perform local file inclusion and potentially execute arbitrary code. This flaw may enable an attacker to read sensitive files on the server or inject PHP code that is subsequently executed, leading to full compromise of the affected WordPress installation.
Affected Systems
This vulnerability affects the Hyori WordPress theme provided by goalthemes, versions up to and including 1.3.6. All deployments of the theme that have not upgraded past 1.3.6 are vulnerable, regardless of WordPress core version.
Risk and Exploitability
The CVSS score of 8.1 classifies the issue as high severity; the EPSS score of <1% indicates a very low probability of exploitation in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Nevertheless, the nature of LFI means an attacker who can manipulate the include path could gain code execution, especially if the attacker can place a malicious file in an accessible directory. Based on the description, it is inferred that the attack vector is remote, triggered through crafted URL parameters or form inputs that the theme consumes.
OpenCVE Enrichment