Impact
An unauthenticated local file inclusion vulnerability exists in the WordPress Right Way theme version 4.0 and earlier. This weakness allows an attacker to supply a crafted request that forces the theme to read and display files from the server’s file system. The impact is the unauthorized disclosure of sensitive server files such as configuration files, which could reveal database credentials and other secrets. Additionally, if the included files contain executable code or can be manipulated to trigger further weaknesses, the attacker might be able to execute arbitrary commands on the host. The weakness is categorized under CWE‑98.
Affected Systems
The affected product is the Themeum Right Way WordPress theme, versions 4.0 and lower. WordPress sites that have deployed these theme versions are at risk until the theme is upgraded to a newer release that removes the vulnerability.
Risk and Exploitability
The vulnerability carries a high CVSS score of 8.1, indicating that it is both serious and relatively easy to exploit. While no EPSS score is available, the lack of a KEV listing means no confirmed exploits have been reported as of the last update. The likely attack vector is a remote attacker sending a specially crafted URL or request to the site’s public interface that triggers the theme’s inclusion mechanism. Because the vulnerability is unauthenticated, any visitor with network access can potentially exploit it, making it a significant risk to confidentiality and integrity for affected sites.
OpenCVE Enrichment