Impact
The Atomlab WordPress theme up to and including version 2.4.5 contains an unauthenticated Local File Inclusion flaw. The vulnerability allows an attacker who can reach the site’s web interface to supply crafted file paths that the theme then includes directly. Without any authentication guard, the attacker can read arbitrary files on the server, potentially exposing configuration data, credentials, or other confidential information. In the worst case, if the attacker controls a writable directory, the flaw could be escalated to remote code execution by including locally crafted scripts.
Affected Systems
ThemeMove’s Atomlab theme for WordPress. All installations running version 2.4.5 or earlier are affected. Any WordPress site that still uses the theme and has not elevated to version 2.4.6 or newer is vulnerable.
Risk and Exploitability
The CVSS score of 8.1 signals high severity, while the EPSS score is currently unavailable, leaving the exploitation probability unknown. The vulnerability is not listed in CISA’s KEV catalog yet, but the lack of an authentication requirement means an attacker can trigger the flaw from any location that can access the affected site. The straightforward exploitation path—sending a crafted request that directs the theme to include an arbitrary local file—makes the risk significant for unpatched sites.
OpenCVE Enrichment