WordPress Modernee theme <= 1.6.0 - Local File Inclusion vulnerability

Vulnerability

The Modernee WordPress theme versions up to and including 1.6.0 contain an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can exploit this without any authentication or user interaction. The vulnerability allows inclusion of arbitrary local files from the server, potentially exposing sensitive information. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted request to the vulnerable theme endpoint. No authentication is required, and the attack can be performed remotely over the network. The attacker does not need any special privileges or user interaction. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites. [1]

Impact

Successful exploitation allows an attacker to read arbitrary local files on the server, including configuration files that may contain database credentials. This could lead to complete database takeover depending on the server configuration. The CVSS score is 8.1 (High). [1]

Mitigation

The vulnerability affects Modernee theme versions up to 1.6.0. Users should update to a patched version if available. As of the publication date, no fixed version is mentioned in the reference. Immediate action is recommended: update the theme or contact the hosting provider for assistance. [1]