Impact
This vulnerability is an unauthenticated Local File Inclusion in the Wanium WordPress theme up to version 1.9.8. Attackers can supply crafted parameters to the theme so that it reads and returns arbitrary files from the server file system. The disclosure of configuration files, credentials, or other sensitive data can occur, and if an executable file such as PHP is included, remote code execution may be possible. The weakness is classified as CWE‑98, Improper Control of File Name or Path for Inclusion or Execution.
Affected Systems
The affected product is the WordPress theme Wanium provided by Themelogi, with vulnerable versions up to and including 1.9.8. All sites using these theme versions, irrespective of the underlying WordPress installation, are impacted because the flaw resides in the theme code.
Risk and Exploitability
The CVSS v3.1 score is 8.1, indicating high severity, while the EPSS score is less than 1 %, signalling a low probability of exploitation in current datasets. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is 'LOCAL', inferred from the fact that the flaw allows an unauthenticated HTTP request without additional privileges. An adversary can craft a request with a malicious path to include any file available to the web process, potentially exposing secrets or executing code. Because the exploit is simple and requires no special environment, the potential impact remains significant.
OpenCVE Enrichment