Impact
An unauthenticated Local File Inclusion flaw exists in the Rosaleen WordPress theme for versions up to 2.8. The vulnerability permits an attacker to request the theme via a web request that ultimately includes or reads local files on the server. If the attacker can control the included file path, the flaw can be leveraged to expose sensitive configuration data or, in some cases, to execute server‑side code. The weakness is rooted in CWE‑98, which concerns improper handling of file paths.
Affected Systems
WordPress installations that use the ThemeREX Rosaleen theme, versions 2.8 and earlier. No specific sub‑versions are listed beyond the overall maximum of 2.8.
Risk and Exploitability
The CVSS score of 8.1 ranks the flaw as high severity, while the EPSS score of less than 1% indicates that exploitation is currently considered rare. Because the vulnerability is unauthenticated and accessed over the public web, the attack vector is likely remote. The flaw is not listed in the CISA KEV catalog, so it has not been observed in known widespread attacks as of the data present.
OpenCVE Enrichment