Impact
The vulnerability allows an unauthenticated attacker to trigger a local file inclusion in WordPress sites that use the Etude theme up to version 1.6. This flaw can lead to disclosure of sensitive files on the server, as the attacker exploits insufficient input validation on file path handling, coded as CWE‑98. The impact is primarily a confidentiality breach, exposing server‑side content that could contain credentials, configuration files, or other confidential data. The vulnerability exists without authentication and does not directly provide arbitrary code execution but can be a stepping‑stone to further attacks.
Affected Systems
WordPress sites that have installed the ThemeREX Etude theme version 1.6 or earlier are affected. The vulnerability is tied specifically to the Etude theme bundle released by ThemeREX. No other versions or themes are listed as impacted.
Risk and Exploitability
The CVSS score of 8.1 classifies the flaw as high severity. The EPSS score is not available, so the current exploitation probability cannot be quantified but the absence of a KEV listing suggests no widespread, actively exploited instances are yet known. The likely attack vector involves sending a crafted HTTP request that manipulates file path parameters used by the theme. The flaw does not require user credentials, making it exploitable by a global attacker who can target any publicly reachable instance running an affected version.
OpenCVE Enrichment