WordPress Iona theme <= 1.0.8 - Local File Inclusion vulnerability

Vulnerability

The WordPress Iona theme versions up to and including 1.0.8 contain an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can exploit this flaw without any authentication or user interaction, allowing them to include arbitrary local files from the server. The vulnerability is triggered via a crafted request that references a local file path, which is then displayed in the response. [1]

Exploitation

An attacker needs only network access to the target WordPress site. No authentication or special privileges are required. The attacker sends a specially crafted HTTP request to the vulnerable theme endpoint, specifying a local file path (e.g., /etc/passwd or a WordPress configuration file). The theme then includes and outputs the contents of that file. This can be done repeatedly to enumerate sensitive files. [1]

Impact

Successful exploitation allows an attacker to read arbitrary files from the server, including WordPress configuration files (wp-config.php) that contain database credentials, salts, and other secrets. With database credentials, an attacker could potentially gain full control of the database, leading to data theft, privilege escalation, or site defacement. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

As of the publication date, no patched version of the Iona theme has been released. Users should immediately update to the latest available version of the theme (if a patched version exists) or consider disabling the theme until a fix is provided. Hosting providers or web developers can assist with temporary workarounds, such as implementing web application firewall rules to block LFI attempts. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, but given its severity, prompt action is recommended. [1]