Impact
The vulnerability is a classic unauthenticated Local File Inclusion (LFI) in the WordPress Mr. SEO Theme supplied by Elated‑Themes. An attacker can supply a path parameter in a request that is not properly sanitized, allowing the theme to read arbitrary files or include PHP files on the server. If a PHP file is included, execution of code on the server’s behalf becomes possible, giving the attacker the same privileges as the web server process, potentially leading to full system compromise. Even if code execution is not achieved, the attacker can obtain sensitive configuration files, database credentials, or other confidential data, thereby compromising confidentiality and integrity of the site data.
Affected Systems
Versions of the WordPress Mr. SEO Theme up to and including 2.0 are affected. The theme is distributed by Elated‑Themes and is a popular component of WordPress installations. All sites running Mr. SEO 2.0 or older face this risk.
Risk and Exploitability
The vulnerability carries a CVSS score of 8.1 and an EPSS score of less than 1 %. It is not listed in the CISA KEV catalog, indicating that there are no publicly known active exploits yet. However, the lack of authentication control means that any user who can reach the vulnerable URL can trigger the inclusion. The attack requires no specialized skills beyond crafting a crafted request, and the resulting impact can range from data leakage to full remote code execution depending on the included file. In the absence of mitigation, the risk remains significant for unpatched sites.
OpenCVE Enrichment