Impact
Unrestricted Local File Inclusion allows an unauthenticated attacker to read or include arbitrary files on the server via the Gat theme. The flaw can expose sensitive configuration files, credentials, or lead to arbitrary code execution if included files are executable. The high CVSS score of 8.1 reflects the severity and the potential for broad impact across all users of a site.
Affected Systems
ThemeREX Gat theme versions up to 1.16 are vulnerable. Sites running these versions with the theme active are affected.
Risk and Exploitability
The vulnerability requires no authentication and can be triggered by a crafted request to the theme. Although no EPSS score is reported and the issue is not listed in the CISA KEV catalog, the lack of controls allows widespread exploitation. The CVSS score underscores its high impact and the ease with which an attacker could leverage it.
OpenCVE Enrichment