Impact
The vulnerability is an unauthenticated Local File Inclusion flaw in the Resurs theme for WordPress versions 1.3 and earlier. The flaw allows an attacker to manipulate user-supplied data to include files from the server during page rendering, potentially exposing sensitive files such as configuration data, passwords, or source code. The weakness is a classic input validation issue, classified as CWE‑98.
Affected Systems
This issue affects installations running the WordPress Resurs theme version 1.3 or earlier, maintained by ThemeREX. No other products or versions are known to be impacted.
Risk and Exploitability
The CVSS score of 8.1 reflects a high severity; the EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog. Because the flaw is unauthenticated, any user who can trigger the theme’s file inclusion can potentially read files, but exploitation typically requires sending crafted requests to a publicly accessible endpoint that is not protected by authentication. In practice, the attack vector is likely local or network-based, exploiting the theme’s PHP code handling file paths.
OpenCVE Enrichment