Impact
The vulnerability is an unauthenticated Local File Inclusion (LFI) flaw in the Solene Core plugin for WordPress versions 2.3.2 and earlier. An attacker can supply a crafted input that causes the plugin to include arbitrary local files. The issue is classified as CWE‑98, which indicates a failure to properly validate and sanitize file paths. Since the flaw is unauthenticated, any user can attempt the exploit, potentially enabling the reading of sensitive files or the injection of malicious code if the included content is executable.
Affected Systems
Elated‑Themes Solene Core plugin, versions up to 2.3.2 are affected. The fix requires updating the plugin to at least version 2.3.4.
Risk and Exploitability
The CVSS score of 8.1 marks the vulnerability as high severity. Without an EPSS score, the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw permits arbitrary local file inclusion without authentication, an attacker with sufficient network access could potentially read privileged data or upload code that later leads to remote code execution. The most probable attack vector is crafted request parameters that bypass the plugin’s input validation.
OpenCVE Enrichment