Impact
The Malmö theme for WordPress contains an unauthenticated Local File Inclusion flaw, allowing an attacker to request arbitrary files on the web server’s file system through a vulnerable parameter. This weakness, categorized as CWE‑98, can result in unauthorized disclosure of sensitive configuration files or, if the included file is executable, could lead to remote code execution. The impact is significant as it can expose proprietary code, user data, or even compromise the entire site.
Affected Systems
The vulnerability affects installations of the Elated‑Themes Malmö WordPress theme, versions 2.2 and older. Any site running these versions without additional protective measures is at risk.
Risk and Exploitability
The CVSS score of 8.1 reflects a high severity, and while the EPSS score is not available, the lack of a KEV listing does not diminish the threat. The flaw is reachable without authentication and can be exploited over the network by constructing a crafted URL pointing to the vulnerable inclusion point. Attackers would need to know the correct parameter name, but local file inclusion is a well‑known exploit vector in WordPress themes, so the likelihood of exploitation is considered moderate to high.
OpenCVE Enrichment