Impact
The Kastell WordPress theme contains an unauthenticated Local File Inclusion flaw that allows an attacker to read files on the server. By manipulating a parameter that is passed to a file include function, an adversary can cause the theme to include arbitrary files, potentially exposing sensitive configuration or code data. This vulnerability is categorized as a path traversal flaw (CWE‑35) and can compromise confidential information and system integrity if files such as wp-config.php or server logs are accessed.
Affected Systems
This weakness affects WordPress installations that use the Mikado‑Themes Kastell theme, versions 2.0 or older. Sites that have not applied the 2.0.1 update are directly vulnerable.
Risk and Exploitability
The CVSS base score of 8.1 reflects a high severity, while no EPSS score is available and the flaw is not listed in the CISA KEV catalog. Because the vulnerability is unauthenticated and exploitable via a crafted request to a publicly exposed WordPress page, an attacker with network access to the site can trigger the inclusion without special privileges. The lack of remote authentication makes the attack likely from anywhere that can reach the site.
OpenCVE Enrichment