WordPress Deliciosa theme <= 1.10.0 - Local File Inclusion vulnerability

Vulnerability

Deliciosa, a WordPress theme, versions up to and including 1.10.0, contains an unauthenticated Local File Inclusion (LFI) vulnerability. The flaw resides in the theme's file loading mechanism, which does not properly validate or sanitize user-supplied input, allowing an attacker to specify arbitrary file paths. No authentication or special privileges are required to trigger this code path.

Exploitation

An attacker can exploit this vulnerability remotely without any prior authentication or user interaction. By sending a specially crafted HTTP request containing path traversal sequences (e.g., ../) to the vulnerable parameter, the attacker can include arbitrary local files from the server. The attack does not require a privileged network position; it can be performed over the public internet.

Impact

Successful exploitation allows the attacker to read the contents of sensitive local files, including wp-config.php, which contains database credentials. This exposure can lead to complete database takeover, depending on the database configuration. The vulnerability has a CVSS score of 8.1, indicating high severity, and is expected to be used in mass-exploit campaigns against thousands of websites regardless of size or popularity [1].

Mitigation

The vendor released a patched version; all users should update Deliciosa to version 1.10.1 or later immediately [1]. If unable to update, users are advised to contact their hosting provider or web developer for assistance. The vulnerability is listed on the Patchstack database and is considered highly dangerous, with active exploitation campaigns anticipated [1].