Impact
An unauthenticated Local File Inclusion flaw exists in WordPress Aperitif Theme versions up to 1.5. The vulnerability allows an attacker to specify a file path parameter that is not properly validated, enabling read access to files outside the intended directory. If exploited, an attacker could obtain sensitive configuration files, credentials, or other files that reveal sensitive information or, in combined circumstances, potentially lead to remote code execution. The weakness is classified as CWE‑98, which describes improper validation or sanitization of a file name or path.
Affected Systems
The problem is limited to installations of the WordPress Aperitif Theme provided by Elated‑Themes, specifically versions 1.5 or earlier. Systems running WordPress with this theme and not yet updated to a later release are at risk.
Risk and Exploitability
The assessed CVSS score of 8.1 places this vulnerability in the High severity range, indicating a substantial threat if exploited. The EPSS score is reported as less than 1%, reflecting a very low but non‑zero probability of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which may limit visibility to security teams. Given the unauthenticated nature of the flaw, any user who can trigger the vulnerable request path can potentially read arbitrary files, making the threat vector remote via the web interface.
OpenCVE Enrichment