Impact
Unauthenticated local file inclusion allows an attacker to specify arbitrary file paths for inclusion by the theme. The flaw, identified as CWE‑98, can lead to sensitive data disclosure and, if the attacker is able to supply executable PHP content, could elevate to remote code execution. The vulnerability is confined to the Deliciosa theme and enables reading of files without authentication, with a potential system‑wide impact if critical configuration or webroot files are accessed.
Affected Systems
The issue affects ThemeREX Deliciosa versions 1.10.0 and earlier. All installations running those releases are susceptible; newer releases are not impacted as they have removed the vulnerable code path.
Risk and Exploitability
The CVSS score of 8.1 classifies the vulnerability as high severity. EPSS indicates the probability of exploitation is below 1 %, suggesting that active, real‑world exploits are currently rare. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request that includes a crafted file path parameter or filename. Based on the description, it is inferred that the attacker can trigger the flaw by supplying malicious input through a publicly exposed endpoint or configuration setting.
OpenCVE Enrichment