Impact
The vulnerability allows an attacker to specify arbitrary file paths in a request to the Audrey theme, enabling local file inclusion. This can lead to reading sensitive configuration files, credentials, or potentially executing code if the included file contains exploitable content. The weakness is a classic CWE‑98 Local File Inclusion, and it can compromise confidentiality and integrity of the site without requiring authentication.
Affected Systems
WordPress sites that use the Elated‑Themes Audrey theme version 1.5 or earlier are affected. The issue is present in all released Audrey theme backups through that version. No other WordPress core or plugin versions are listed in the advisory.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw via an unauthenticated HTTP request targeting the theme, making exploitation straightforward for anyone with network visibility to the site. While there are currently no publicly known exploits, the lack of authentication combined with a high CVSS suggests the risk of exploitation should be considered significant.
OpenCVE Enrichment