Impact
Unauthenticated Local File Inclusion (LFI) exists in the Roneous theme with versions up to 2.1.5. The flaw permits an attacker to specify a file path and have the theme include that file in the output, potentially exposing sensitive content. The precise response is not detailed by the vendor, but the nature of the vulnerability implies that arbitrary local files could be read if the inclusion is not properly guarded.
Affected Systems
WordPress installations that have the Roneous theme (produced by THEMELOGI) installed at version 2.1.5 or earlier are affected. No additional products or versions are listed as impacted.
Risk and Exploitability
The CVSS score of 8.1 classifies this as high severity, yet the EPSS score is below 1%, indicating a low likelihood of being exploited in the wild. This vulnerability is not present in the CISA KEV catalog. The likely attack vector would involve an unauthenticated user creating a request that the theme processes, such as manipulating a query string or other input to trigger the file inclusion. Because the flaw is unauthenticated, an attacker does not need prior access to the site. The risk primarily concerns disclosure of local files, which might include configuration data or other sensitive information that could enable further attacks.
OpenCVE Enrichment