Impact
An unauthenticated Local File Inclusion flaw exists in the Solene WordPress theme versions up to 3.4. The vulnerability allows an attacker to read arbitrary files from the server; based on the nature of LFI, it is inferred that including a PHP file could allow code execution, though this is not explicitly confirmed in the description. This flaw can compromise confidentiality, integrity, and availability of the site and its underlying server. The weakness is a classic file inclusion defect (CWE-98).
Affected Systems
The issue affects installations of the Solene theme produced by Elated‑Themes for WordPress. Any site running Solene 3.4 or earlier is susceptible, regardless of the WordPress core version. The exact affected versions are all releases up to and including 3.4.
Risk and Exploitability
The CVSS score of 8.1 marks this as a high severity flaw. The EPSS score of less than 1% indicates a very low likelihood of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Inference suggests the attack vector involves manipulation of URL parameters to pass a file path to the vulnerable inclusion point; no authentication is required. Though the exploitation probability is low, the high impact warrants prompt action.
OpenCVE Enrichment