Impact
The Grecko theme for WordPress versions up to and including 5.17 contains an unauthenticated Local File Inclusion flaw. The vulnerability allows an attacker to include arbitrary files on the server, which can lead to the execution of malicious code or disclosure of sensitive data, thereby compromising the confidentiality, integrity, and availability of the WordPress installation.
Affected Systems
WordPress sites running ThemeREX Grecko version 5.17 or earlier are affected. Users of later Grecko releases are not impacted. No other WordPress themes or plugins are listed as vulnerable.
Risk and Exploitability
The flaw carries a CVSS score of 8.1, indicating high severity. The EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalog. Because the issue is unauthenticated and the attack vector is local file inclusion, an attacker can exploit it without needing privileged access to the site, but must have a way to trigger the vulnerable code path—likely through crafted URLs or reflected input. The potential impact ranges from information disclosure to remote code execution on the server depending on the included files.
OpenCVE Enrichment