Impact
The vulnerability is an unauthenticated Local File Inclusion flaw present in all ThemeREX Medeus WordPress theme versions 1.14 and earlier. The defect allows a remote attacker to craft a request that bypasses the theme’s file handling logic, potentially loading arbitrary files from the server. This can expose confidential configuration data, user credentials, or other sensitive files. The weakness is classified as CWE‑98.
Affected Systems
All installations of the ThemeREX Medeus theme with version 1.14 or lower are potentially vulnerable. No additional sub‑version distinctions are documented, so any site running an affected edition of Medeus should treat itself as at risk.
Risk and Exploitability
The CVSS score of 8.1 classifies the flaw as high severity, and the EPSS score of less than 1 % indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is a direct HTTP request to a file‑inclusion endpoint within the theme; no authentication is required, lowering the bar for exploitation, though the attacker must still craft an appropriate path to include the desired file.
OpenCVE Enrichment