WordPress Food Drop theme <= 1.3 - Local File Inclusion vulnerability

Vulnerability

The Food Drop WordPress theme, versions up to and including 1.3, contains an unauthenticated Local File Inclusion (LFI) vulnerability. The vulnerability allows an attacker to include arbitrary local files from the target WordPress installation without requiring any authentication. This affects all installations running the vulnerable theme versions.

Exploitation

An attacker does not need any authentication or special privileges. By sending crafted requests to the target website, an attacker can exploit the LFI to include and display the contents of local files, such as the wp-config.php file which contains database credentials. No user interaction is required, and the attack can be carried out remotely over the network automatically as part of mass-exploit campaigns [1].

Impact

Successful exploitation allows an attacker to read sensitive files from the server, including configuration files that may store database credentials (e.g., wp-config.php). This information can lead to complete database takeover if the exposed credentials have sufficient privileges, resulting in full data compromise, unauthorized access, and potential control over the website [1].

Mitigation

The vulnerability affects Food Drop theme version 1.3 and earlier. The immediate recommended action is to update the theme to a patched version when available. If a fix is not yet released or cannot be applied, site administrators should ask their hosting provider or web developer for assistance in implementing temporary workarounds, such as disabling the theme or applying a web application firewall rule to block LFI attack patterns. The vulnerability is expected to be exploited in mass campaigns, so prompt action is crucial [1].