WordPress Rosaleen theme <= 2.8 - Local File Inclusion vulnerability

Vulnerability

Rosaleen, a WordPress theme, is vulnerable to an unauthenticated Local File Inclusion (LFI) in versions up to and including 2.8 [1]. The vulnerability allows an attacker to include arbitrary local files from the server without any authentication requirement. No specific configuration triggers this, and the affected versions are all Rosaleen releases prior to the fixed version.

Exploitation

An attacker can exploit this vulnerability remotely over the network, requiring no authentication or user interaction [1]. The exact sequence of steps is not detailed in the available references, but the flaw permits direct inclusion of local files through crafted HTTP requests.

Impact

Successful exploitation allows the attacker to read sensitive local files, such as database credentials (e.g., wp-config.php), leading to potential full database compromise [1]. The impact is information disclosure at a minimum, with a high risk of privilege escalation if credentials are extracted.

Mitigation

A fix has been released; users must update the Rosaleen theme to a version newer than 2.8 [1]. The vulnerability is listed as highly dangerous and expected to become part of mass-exploit campaigns [1]. If updating immediately is not possible, contact your hosting provider or web developer for assistance [1]. No other workarounds are mentioned.