Impact
The vulnerability is an unauthenticated Local File Inclusion flaw present in the Snowy theme for WordPress versions 1.13 and earlier. An attacker can cause the theme to include files from the server’s file system, potentially exposing sensitive information such as configuration files, database credentials, or arbitrary code. Because the flaw is classified as CWE‑98, it results from the theme failing to validate or sanitize input used to reference local files.
Affected Systems
Any WordPress installation that has the ThemeREX Snowy theme version 1.13 or earlier is affected. The issue is specific to that theme and does not extend to other WordPress themes or core. Administrators should identify all sites running Snowy <=1.13 to determine exposure.
Risk and Exploitability
The CVSS score of 8.1 signals a high‑severity vulnerability, and the absence of an EPSS figure means the current exploitation probability is not quantified. The flaw does not require authentication, so the likely attack vector is a crafted request that points the Snowy theme’s file handling code to an arbitrary local file. Although the vulnerability is not listed in CISA’s KEV catalog, the potential for reading arbitrary files makes the risk significant if the theme remains installed at a vulnerable version.
OpenCVE Enrichment