WordPress Kelly Young theme <= 1.1.0 - Local File Inclusion vulnerability

Vulnerability

The Kelly Young WordPress theme versions 1.1.0 and earlier contain an unauthenticated Local File Inclusion (LFI) vulnerability. This flaw allows an attacker to include arbitrary local files from the server without requiring any authentication. The vulnerability is present in the theme's file handling logic, which fails to properly sanitize user-supplied input before including files [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to a vulnerable endpoint within the theme. No special privileges or user interaction are required. The attacker simply needs network access to the target WordPress site. By manipulating a parameter (likely related to file inclusion), the attacker can force the server to include and output the contents of arbitrary local files [1].

Impact

Successful exploitation allows an attacker to read sensitive files on the server, such as wp-config.php, which contains database credentials and other secrets. This could lead to complete database takeover depending on the server configuration. The impact is limited to information disclosure (confidentiality), but the exposed credentials can enable further compromise. The attacker gains no direct code execution or write access from this vulnerability alone [1].

Mitigation

The vendor has released a fix; users should update the Kelly Young theme to a version newer than 1.1.0 immediately. If updating is not possible, it is recommended to contact the hosting provider or a web developer for assistance. No workaround is provided in the available reference. The vulnerability is listed as highly dangerous and expected to be exploited in mass campaigns [1].