Impact
The vulnerability allows an unauthenticated attacker to request the Raider Spirit theme to include arbitrary local files on the server. By manipulating the theme’s file inclusion mechanism, the attacker can read sensitive configuration files, Secrets, or the contents of the file system. If the included file contains executable code—for example, a PHP file crafted by the attacker—the vulnerability could increase to remote code execution. The fault stems from a classic local file inclusion weakness and is formally identified as CWE‑98.
Affected Systems
The affected product is the ThemeREX Raider Spirit WordPress theme. All releases up to and including version 1.1.2 are vulnerable. No other products are listed as impacted.
Risk and Exploitability
With a CVSS score of 8.1, the flaw is considered high severity. The EPSS value of less than 1 % suggests that active exploitation is currently rare. The vulnerability is not catalogued in the CISA KEV list. The attack vector is likely a simple HTTP request to a URL that invokes the LFI path, requiring no authentication. Exploitation would involve supplying a crafted file path via the theme’s parameters, which an attacker can do if the theme is configured to accept user input without proper validation.
OpenCVE Enrichment