Impact
An unauthenticated local file inclusion flaw exists in the WordPress Choreo theme versions 1.6 and earlier, classified as CWE‑98. This weakness allows an attacker to influence the inclusion of arbitrary local files on the server, potentially exposing sensitive data or executing malicious code if a vulnerable file is included.
Affected Systems
The vulnerability affects the ThemeREX Choreo theme for WordPress, specifically all releases up to and including version 1.6.
Risk and Exploitability
The flaw carries a CVSS score of 8.1, indicating high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue without authentication by manipulating a request that triggers the theme’s file inclusion logic, potentially leading to information disclosure or remote code execution if the chosen file contains executable code.
OpenCVE Enrichment