Impact
The vulnerability is an unauthenticated local file inclusion flaw in the WordPress Hitek theme versions older than 1.8.3. Attackers can craft requests that cause the theme to include arbitrary files from the server, potentially leading to sensitive information disclosure or further exploitation if code files are included.
Affected Systems
The affected product is the WordPress Hitek theme developed by xtemos, specifically any installation using a version less than 1.8.3. This theme is commonly deployed on WordPress sites hosted on PHP servers.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity. No EPSS score is available, so current exploitation probability is unknown, yet the flaw remains unpatched in many environments. Because the vulnerability requires no authentication and has no access controls, it can be triggered by any user who can manipulate the request parameters that feed the file inclusion logic. The lack of listing in CISA KEV does not mitigate the risk if the theme remains in use.
OpenCVE Enrichment