Impact
The Thegov Core plugin for WordPress contains an unauthenticated local file inclusion flaw in all releases before version 2.0.23. The weakness allows a request that is processed by the plugin to include the contents of any file readable by the web server. Based on the nature of local file inclusion, it is inferred that if a PHP file could be supplied in the inclusion path, the code within that file might be executed, potentially compromising the entire WordPress installation.
Affected Systems
Any WordPress installation that uses the WebGeniusLab Thegov Core plugin with a version older than 2.0.23 is affected. The vulnerability is specific to sites that have that plugin installed and do not depend on other WordPress core files or plugins.
Risk and Exploitability
The flaw is rated high severity with a CVSS score of 8.1. The EPSS score is below 1%, indicating a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers do not need authentication to trigger the flaw, as it is an unauthenticated vulnerability; an unauthenticated actor could request the relevant endpoint to exploit the file inclusion.
OpenCVE Enrichment