WordPress MaxiNet theme <= 1.2.10 - Local File Inclusion vulnerability

Vulnerability

The MaxiNet WordPress theme versions 1.2.10 and earlier contain an unauthenticated Local File Inclusion (LFI) vulnerability. This flaw allows an attacker to include arbitrary local files from the server without requiring any authentication or special privileges. The vulnerability is present in the theme's file handling logic and can be triggered remotely. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to a vulnerable endpoint of the MaxiNet theme. No authentication or user interaction is required. The attacker only needs network access to the target website. By manipulating a file path parameter, the attacker can include and display the contents of arbitrary local files on the server. [1]

Impact

Successful exploitation allows an attacker to read sensitive local files, such as wp-config.php, which contains database credentials. This could lead to complete database takeover depending on the server configuration. The vulnerability is rated with a CVSS score of 8.1 (High) and is considered highly dangerous, with potential for mass exploitation campaigns. [1]

Mitigation

As of the advisory, no specific fixed version has been disclosed. The recommended immediate action is to update the MaxiNet theme to the latest available version. If an update is not possible, users should contact their hosting provider or web developer for assistance. Given the severity and active exploitation risk, applying any available vendor patch or disabling the theme until a fix is released is strongly advised. [1]