Impact
The vulnerability is an unauthenticated Local File Inclusion in the Skyward theme for WordPress versions 1.10 and earlier. The flaw allows an attacker to read arbitrary files from the web server, exposing configuration data, credentials, or other sensitive information. If the included file contains executable code, an attacker could potentially execute arbitrary commands, escalating the impact to remote code execution.
Affected Systems
Affected systems are installations running ThemeREX Skyward theme version 1.10 or older on WordPress sites. Any user who can construct URLs to the theme’s file inclusion handler can exploit the flaw.
Risk and Exploitability
CVSS score of 8.1 indicates high severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. The attack vector is likely a web request to the vulnerable site, with no authentication required. Because it is unauthenticated, any visitor could exploit it, making the risk significant for sites running affected versions.
OpenCVE Enrichment