Impact
An unauthenticated Local File Inclusion flaw exists in all WordPress Getaway theme versions earlier than 1.8. The weakness permits an attacker to read arbitrary files located on the server, such as configuration files or database credentials. The CVE description does not explicitly state that executing PHP source files leads to remote code execution; based on the nature of the vulnerability, it is inferred that if a PHP file were read and subsequently executed by the server, code execution could result, but this is not confirmed by the provided information.
Affected Systems
The vulnerability affects the WordPress Getaway theme developed by Select‑Themes. Any installation running the theme in a version below 1.8 is susceptible.
Risk and Exploitability
The flaw carries a CVSS score of 8.1, indicating high severity, while its EPSS score of less than 1 % suggests a low likelihood of exploitation at present. It is not listed in CISA KEV. Attackers can exploit the vulnerability unauthenticated by manipulating URL parameters that the theme interprets as file paths; the likely attack vector involves sending a specially crafted request to the theme’s front‑end, resulting in the inclusion of local files.
OpenCVE Enrichment