Impact
The vulnerability arises from an improper control of the filename used in PHP include/require statements within the StylemixThemes Motors plugin. An attacker can supply a crafted value that forces the plugin to include local files, potentially allowing the attacker to read sensitive data or execute injected PHP code. This flaw is classified as a PHP Remote File Inclusion type of weakness, although the current description limits the attack to local files.
Affected Systems
The defect impacts all installations of the StylemixThemes Motors plugin from its earliest release through version 1.4.109. WordPress sites that have the plugin active are therefore at risk if the plugin has not been updated to 1.4.110 or newer.
Risk and Exploitability
The CVSS score of 8.1 marks this as a high‑severity issue. No EPSS score is published, and the vulnerability is not listed in CISA’s KEV catalog, indicating no widely known exploits yet. The likely attack vector is via a web request that includes a malicious query parameter to the plugin’s inclusion point. If the attacker can control the input, local file paths can be read or executed, potentially leading to full code execution or extensive data exposure.
OpenCVE Enrichment