Impact
Unauthenticated local file inclusion has been identified in the Pearl – Corporate Business theme for WordPress versions 3.4.10 and earlier. An attacker can supply a crafted file path that bypasses validation and results in the server reading an arbitrary file on the local filesystem. This flaw, classified under CWE‑98, may expose configuration files, database credentials, or other sensitive data, and could enable further compromise if the read files contain exploitable code.
Affected Systems
The vulnerability affects the Pearl – Corporate Business WordPress theme distributed by StylemixThemes. All installations of the theme with a version number of 3.4.10 or lower are susceptible, while newer releases contain the fix.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.1, placing it in the high‑severity range. No EPSS score is currently available, but the flaw is unauthenticated, implying that any visitor to the site could potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, yet its potential impact and lack of required authentication still render it a significant risk. Exploitation requires only the presence of the vulnerable theme and the ability to send requests that include the target file path, making it straightforward for attackers to read sensitive files or possibly execute code if the read data is later leveraged by other vulnerabilities.
OpenCVE Enrichment