Impact
Unauthenticated Local File Inclusion in the WordPress Eventicity theme version 1.5 or earlier allows an attacker to read arbitrary files on the server. This vulnerability is categorized as CWE‑98 and can lead to disclosure of sensitive configuration files, credentials, or other private data. The lack of authentication or input validation means that any visitor can supply a crafted path to include unintended files, potentially exposing confidential information.
Affected Systems
The vulnerability affects the Eventicity theme developed by ThemeREX for WordPress. All installations running version 1.5 or earlier are impacted. Users of this theme who have not updated to a newer release are at risk, while version 1.6 and above are considered safe once patched. The specific product name is WordPress Eventicity theme by ThemeREX.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, reflecting the threat of accessing data without authentication. Although an EPSS score is not available, the vulnerability is not present in CISA’s KEV list, suggesting no publicly known exploits yet; however the high CVSS and unauthenticated nature mean that attackers could trivially exploit the flaw via crafted requests. The attack vector is inferred to be remote over HTTP, requiring only that the target be reachable and that the theme’s file‑include mechanism is accessible. The absence of mitigations such as input sanitization or access controls makes exploitation straightforward.
OpenCVE Enrichment