WordPress Planty theme <= 1.14.0 - Local File Inclusion vulnerability

Vulnerability

The Planty WordPress theme, versions up to and including 1.14.0, contains an unauthenticated Local File Inclusion (LFI) vulnerability. The flaw allows an attacker to include arbitrary local files from the server, likely through a file path parameter in a request that is not properly sanitized. The vulnerability is reachable without any authentication or special privileges [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the affected endpoint, manipulating a file path parameter to reference sensitive files such as /etc/passwd or WordPress's wp-config.php. No authentication or user interaction is required; the attacker only needs network access to the target website. Because the vulnerability is present in a widely used theme, automated mass-exploitation campaigns are expected [1].

Impact

Successful exploitation leads to disclosure of sensitive local files. By reading wp-config.php, an attacker can obtain database credentials, which may allow complete takeover of the website's database if the credentials have sufficient privileges. This is a high-severity confidentiality impact with potential cascading effects on the integrity and availability of the site [1].

Mitigation

The vulnerability is addressed in a newer version of the Planty theme; users should update to the latest available version (greater than 1.14.0) immediately. If immediate update is not possible, users should contact their hosting provider or implement temporary mitigations such as blocking access to the vulnerable endpoint or deploying a web application firewall. No other workarounds are documented [1].