Impact
Unauthenticated Local File Inclusion in WordPress WineShop theme versions up to 3.17 allows an attacker to read arbitrary files on the server through a crafted request. This vulnerability, categorized as CWE‑98, could expose sensitive data and compromise the confidentiality and integrity of the site. Because no authentication is required, any visitor can trigger the inclusion.
Affected Systems
WordPress sites that are using the ThemeREX WineShop theme with a version of 3.17 or earlier are affected. Versions 3.18 and later are not listed as vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests that exploitation is uncommon at present, and the vulnerability is not catalogued in the CISA KEV list. Exploitation would most likely occur via a crafted URL that exploits the theme's file‑inclusion logic, and it requires no special user privileges.
OpenCVE Enrichment