Impact
The vulnerability is an unauthenticated Local File Inclusion flaw that allows a malicious actor to include arbitrary files on the server through the WordPress ChapterOne theme. This weakness arises from improper file path handling, as identified by CWE-98. If exploited, the attacker could read sensitive files, execute arbitrary code, or pivot to other parts of the system, compromising confidentiality, integrity, and potentially availability.
Affected Systems
WordPress sites running the ChapterOne theme from Mikado-Themes up to and including version 1.7 are affected. No specific minor patch levels are listed; all releases of ChapterOne 1.7 or earlier are vulnerable.
Risk and Exploitability
The CVSS score of 8.1 indicates a high severity risk. Since the EPSS score is not available and the vulnerability is not listed in CISA KEV, exploitation likelihood is not precisely quantified, but the unauthenticated nature and ease of triggering file inclusion suggest a significant potential for exploitation. The likely attack vector is through a crafted request that manipulates the theme’s file inclusion logic to read arbitrary files from the server.
OpenCVE Enrichment