WordPress Abelle theme <= 1.22 - Local File Inclusion vulnerability

Vulnerability

The WordPress Abelle theme, versions 1.22 and earlier, contains an unauthenticated local file inclusion (LFI) vulnerability. The flaw resides in the theme's file handling mechanism, allowing an attacker to include arbitrary local files from the server without requiring any authentication. This code path is reachable by sending specially crafted requests to the vulnerable endpoint.

Exploitation

An attacker needs only network access to the target WordPress site; no authentication or special privileges are required. The attacker can exploit the vulnerability by manipulating input parameters in HTTP requests, causing the theme to include and output the contents of a local file, such as /etc/passwd or wp-config.php. This can be done remotely and does not require any user interaction.

Impact

Successful exploitation leads to disclosure of sensitive local files. The attacker can read files containing credentials (e.g., database credentials in wp-config.php), potentially leading to complete database compromise and further exploitation of the WordPress installation. The impact includes information disclosure and, depending on what files are read, can facilitate privilege escalation or lateral movement within the environment. The CVSS score for this vulnerability is 8.1, indicating high severity [1].

Mitigation

As of the publication date (2026-06-16), there is no information about a patched version. However, the reference [1] strongly recommends updating the affected plugin immediately. If a fixed version is not yet available, users are advised to contact their hosting provider or a web developer for assistance in mitigating the vulnerability. No workarounds are explicitly mentioned.