Impact
Unauthenticated Local File Inclusion exists in the MaxiNet WordPress theme versions up to 1.2.10. The flaw allows an attacker to supply a file path argument that is not properly validated, leading to the inclusion of arbitrary files on the server. This can expose sensitive configuration files, user data, or enable remote code execution if the included file contains executable code.
Affected Systems
The vulnerability affects the ThemeREX MaxiNet theme for WordPress, specifically any installation using version 1.2.10 or earlier.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The flaw does not appear in the CISA KEV catalog, so no known public exploits exist. Based on the description, it is inferred that an attacker could trigger the inclusion by crafting a request that supplies a malicious file path in a publicly reachable parameter, as the vulnerability is unauthenticated. The attacker could then read sensitive files or potentially execute code if the included file contains executable content.
OpenCVE Enrichment