Impact
WordPress Food Drop theme versions 1.3 and earlier can be exploited through an unauthenticated Local File Inclusion flaw. An attacker could trick the theme into including a local file via a crafted URL or parameter, potentially exposing sensitive files such as configuration files or webroot content. If the attacker can force the inclusion of a PHP file, arbitrary code execution becomes possible.
Affected Systems
All installations of the ThemeREX Food Drop theme using version 1.3 or earlier are affected. Any WordPress site that has deployed these legacy theme releases is at risk.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.1 and an EPSS score below 1%, indicating a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Likely attack vector is an unauthenticated request to the site that manipulates the file path the theme uses for inclusion. Because the flaw allows inclusion of arbitrary files on the server, an attacker could obtain sensitive information or, if PHP files are included, gain remote code execution. The absence of authentication or file path validation enables this attack without special prerequisites.
OpenCVE Enrichment