Impact
This vulnerability is an unauthenticated Local File Inclusion flaw in the Granola theme for WordPress, affecting all versions 1.13 and earlier. An attacker can supply crafted input to the theme’s file inclusion routine, causing the server to read files that the web user has access to. Because the exploit allows arbitrary file reads, it can expose sensitive configuration data, user credentials, or other private content and could be chained with other weaknesses to achieve code execution. The issue is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high severity and strong potential for compromise.
Affected Systems
The Granola theme is distributed by ThemeREX and is often installed on WordPress sites that adopt the theme. Any site that is running version 1.13 or earlier of the theme is vulnerable. No specific patch version is listed, but the vulnerability is only present in those older releases.
Risk and Exploitability
Authentication is not required, so the LFI can be triggered by any user or attacker who can send requests to the WordPress site. The EPSS metric is unavailable, however the high CVSS score and the fact that this vulnerability is not listed in the CISA KEV catalog suggest that while the threat is significant, there is no confirmed widespread exploitation yet. Successful exploitation would allow an attacker to read arbitrary files, potentially exposing secrets or enabling further attacks such as remote code execution if combined with other flaws.
OpenCVE Enrichment