Impact
An unauthenticated Local File Inclusion flaw exists in the Corbesier WordPress theme up to version 1.15.0, classified as CWE-98. The vulnerability allows an attacker to request the inclusion of arbitrary files from the site's local filesystem. If a crafted file containing malicious code is included, the attacker could execute code on the server, leading to full compromise of the WordPress installation.
Affected Systems
The weakness affects ThemeREX Corbesier versions 1.15.0 and older. Use of the Corbesier theme prior to 1.15.1 exposes the site to this flaw, regardless of the WordPress core version.
Risk and Exploitability
The CVSS score of 8.1 marks this as a high‑severity flaw. The EPSS score of less than 1% indicates that exploitation is uncommon in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the inclusion by sending a specially crafted request to a vulnerable site; authentication is not required.
OpenCVE Enrichment