Impact
The vulnerability is an unauthenticated local file inclusion in WordPress Line Agency theme versions 1.3.1 and earlier. By submitting crafted requests to the theme, an attacker can cause the server to include arbitrary files from its filesystem. This can expose sensitive configuration data, private keys, or other confidential content and if the included file is executable or contains code, the attacker could gain remote code execution, leading to full compromise of the website.
Affected Systems
The affected product is the Line Agency theme by ThemeREX for WordPress. All releases through version 1.3.1 are vulnerable. Users running these or any earlier releases are at risk until the issue is resolved.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity vulnerability. Although there is no EPSS score available, the lack of authentication required and the direct nature of the file inclusion suggest that exploitation could be straightforward for attackers targeting WordPress sites. The vulnerability is not listed in the CISA KEV catalog, but the potential impact on confidentiality and integrity is significant, and the attack vector is likely through normal web traffic to the vulnerable theme. The risk remains high until a fix is applied.
OpenCVE Enrichment