Impact
This vulnerability permits an unauthenticated attacker to include local files via the Kelly Young WordPress theme. The flaw lies in an unchecked file inclusion mechanism, allowing the reading of any file on the server that the web process can access. If a PHP file is read and executed, this could enable code execution, though the CVE description does not confirm such exploitation. The basic impact is a breach of confidentiality for any accessible file, including configuration files or application code.
Affected Systems
WordPress sites that employ the ThemeREX Kelly Young theme version 1.1.0 or earlier are affected, as these versions expose an insecure file inclusion endpoint.
Risk and Exploitability
The CVSS score of 8.1 reflects a high severity assessment. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to construct an HTTP request targeting the vulnerable inclusion path, a method inferred from typical WordPress theme behavior. While exploitation is technically possible, the low EPSS suggests that immediate risk may be limited, although the potential impact of file disclosure remains significant.
OpenCVE Enrichment