Impact
The Preservation theme is vulnerable to an unauthenticated local file inclusion flaw. An attacker can supply crafted input to cause the server to read arbitrary files from the filesystem. This weakness directly maps to CWE‑98 and, if the included files contain code or configuration data, could lead to disclosure of credentials or the ability to execute code on the host. Because the exploit does not require authentication, any web visitor can trigger it, exposing the site to a broad threat surface.
Affected Systems
WordPress users running the ThemeREX Preservation theme version 1.10 or are affected. The vulnerability affects all installations of these versions with no further version granularity specified.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity level. EPSS is not available, so the precise exploitation probability remains unknown, but the lack of a KEV listing suggests no widespread exploitation has been reported yet. Nevertheless, the unauthenticated nature of the LFI allows any visitor to trigger the issue, making it highly exploitable once discovered. Attackers could read local files such as wp‑config.php, leading to credential leaks, or include code that requests remote resources, possibly executing arbitrary PHP.
OpenCVE Enrichment