Impact
This vulnerability allows an unauthenticated attacker to include local files through the WordPress Iona theme versions 1.0.8 and earlier. The flaw can lead to leaking of configuration files, credentials, or other sensitive data and, in some scenarios, enable execution of arbitrary code on the server. The weakness aligns with CWE‑98, highlighting insufficient validation of file paths supplied by users.
Affected Systems
The impact is confined to websites that have installed the ThemeREX Iona theme, specifically any instance running a version equal to or older than 1.0.8. Site owners using newer releases are not affected.
Risk and Exploitability
Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request to the site’s public entry points that manipulates the inclusion parameter, enabling arbitrary file inclusion. The CVSS v3.1 score of 8.1 classifies the issue as High severity. EPSS indicates a probability of exploitation less than 1 %, and the vulnerability does not appear in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Nonetheless, because the flaw is unauthenticated, the attack surface is broad; an attacker can retrieve arbitrary files or execute code by triggering the inclusion mechanism. The remote exploitation path is relatively straightforward, requiring no credentials and minimal skill beyond manipulating the inclusion parameter. The lack of current exploitation evidence may stem from the low EPSS rather than a lack of severity. Overall, the risk is high for affected sites, but the likelihood of successful exploitation remains low at present.
OpenCVE Enrichment