Impact
The vulnerability is an unauthenticated local file inclusion flaw in the Ingenioso theme for WordPress up to version 1.14.0. An attacker can cause the web application to read and serve arbitrary files from the server’s file system, potentially exposing sensitive data or enabling execution of arbitrary code if the included file contains executable content. The flaw is associated with CWE‑98, which addresses inappropriate use of user‑supplied data for file handling.
Affected Systems
The affected product is the ThemeREX Ingenioso WordPress theme. Versions up to and including 1.14.0 are vulnerable.
Risk and Exploitability
Attackers with web access can exploit this unrestricted local file inclusion path without any authentication. The CVSS score of 8.1 denotes a high‑severity flaw, reflecting the potential for code execution or disclosure of confidential information. While no EPSS score is provided and the issue is not listed in CISA’s KEV catalog, the absence of a prerequisite login and the ability to target any publicly reachable site make this vulnerability immediately actionable and likely to be pursued by threat actors.
OpenCVE Enrichment