Impact
An unauthenticated Local File Inclusion vulnerability (CWE-98) exists in the Truemag theme for WordPress up to version 4.3.14.2. The flaw allows an attacker to instruct the theme to include arbitrary local files, potentially exposing sensitive information stored on the server or enabling execution of malicious code if the accessed file contains executable content. The impact is primarily a confidentiality breach, with the possibility of further escalation depending on the server configuration and available files.
Affected Systems
WordPress sites that employ the Truemag theme supplied by CactusThemes. Versions up to and including 4.3.14.2 are affected. Sites that have not applied the latest version or have retained these legacy versions remain vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attack vectors include manipulation of theme configuration or URLs that trigger the inclusion logic. Successful exploitation requires unauthenticated access to the site and the ability to influence the path used in the inclusion. The overall risk is moderate due to the high severity but low exploitation likelihood.
OpenCVE Enrichment