Impact
The vulnerability is an unauthenticated Local File Inclusion flaw in the EcoBlue WordPress theme. It allows an attacker to manipulate a file include parameter to read files that should not be publicly accessible, and if the included file contains executable code, the attacker can run arbitrary code on the server. The weakness is documented as CWE‑98 and results in exposure of sensitive information and possible remote code execution, which can affect both the confidentiality and integrity of the site.
Affected Systems
The affected product is the EcoBlue theme provided by ThemeREX. Versions up to and including 1.15 are vulnerable. Any WordPress installation using one of these versions is at risk if the theme’s file inclusion logic is exposed through public URLs.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity, and although no EPSS score is available, the lack of a KEV listing does not reduce the potential for exploitation. The likely attack vector is remote via the web interface, as the vulnerability is triggered by manipulating user-supplied input that is not properly validated. An attacker does not need privileged access or authentication to trigger the flaw, which increases the risk of successful exploitation.
OpenCVE Enrichment