WordPress Corbesier theme <= 1.15.0 - Local File Inclusion vulnerability

Vulnerability

The Corbesier WordPress theme versions 1.15.0 and earlier are vulnerable to an unauthenticated local file inclusion (LFI) flaw. An attacker can exploit this vulnerability without any authentication or user interaction by sending specially crafted requests to the theme's file inclusion functionality. The vulnerability exists due to insufficient input validation, allowing inclusion of arbitrary local files from the server [1].

Exploitation

An attacker with network access to the target WordPress site can exploit this vulnerability remotely. No authentication or prior knowledge is required. The attacker sends a malicious request containing path traversal sequences to the vulnerable parameter, causing the theme to include and display the contents of arbitrary files on the server. This technique is commonly used in mass-exploit campaigns targeting thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to read sensitive local files, such as wp-config.php which contains database credentials. Depending on the server configuration, this could lead to complete database takeover and full compromise of the WordPress installation. The vulnerability is rated with a CVSS score of 8.1 (High) and is considered highly dangerous, with active exploitation expected [1].

Mitigation

The vendor has released a patched version of the Corbesier theme. Users are strongly advised to update to the latest available version immediately. If updating is not possible, users should contact their hosting provider or web developer for assistance. Given the severity and likelihood of mass exploitation, this vulnerability may be added to the CISA Known Exploited Vulnerabilities (KEV) catalog [1].