Impact
The vulnerability allows unauthenticated users to include arbitrary local files through the Eros theme’s exposed input handling. This Local File Inclusion flaw (CWE‑98) can expose sensitive data stored on the web server and, if combined with other weaknesses, may serve as a foothold for more extensive compromise.
Affected Systems
WordPress sites that use the ThemeREX Eros theme version 1.3 or earlier are affected. Any installation of Eros v1.3 or older must be considered vulnerable until the theme is upgraded.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. Based on the description, it is inferred that attackers can trigger the issue by sending a crafted request to a publicly reachable endpoint within the theme, making the flaw relatively easy to exercise for anyone with network access to the site. Although not listed in CISA’s KEV catalogue, the potential impact on confidentiality and integrity warrants prompt action.
OpenCVE Enrichment