Impact
Unauthenticated Local File Inclusion (CWE‑98) exists in ThemeREX Quirky theme version 1.23 and earlier. The flaw allows an attacker to supply arbitrary file paths that the theme will include, potentially exposing the contents of sensitive files or executing injected code. Successful exploitation can compromise confidentiality through data disclosure and may lead to integrity or remote‑code‑execution threats if the included file contains executable payloads. The vulnerability is triggered without authentication, meaning any web visitor or attacker can try to exploit it.
Affected Systems
The affected system is the WordPress Quirky theme from ThemeREX, applicable to all releases of version 1.23 and older. Admins using these versions should verify the theme version in the WordPress dashboard.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. EPSS data is not provided, so the dynamic exploitation probability cannot be quantified, but the lack of authentication requirement raises the likelihood of automated attacks. The vulnerability is not listed in CISA’s KEV catalogue; however, its high impact and ease of exploitation warrant immediate remediation. Attackers may execute the LFI by sending crafted requests that traverse directories and include system files or arbitrary PHP scripts, gaining privileged access to the web server environment.
OpenCVE Enrichment