WordPress Dom theme <= 1.24 - Local File Inclusion vulnerability

Vulnerability

The WordPress Dom theme versions up to and including 1.24 contain an unauthenticated Local File Inclusion (LFI) vulnerability. The LFI occurs in the theme's file handling logic, allowing an attacker to include arbitrary local files from the server without any authentication. No special configuration is required beyond having a vulnerable version of the theme active. [1]

Exploitation

An attacker can exploit this vulnerability by sending crafted requests to the WordPress site running the vulnerable Dom theme. No authentication or prior access is needed, and no user interaction is required. The attack vector is network-based with low attack complexity. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity. [1]

Impact

Successful exploitation allows an attacker to include and display local files from the target website's server. This can expose sensitive files such as database configuration files containing credentials (e.g., username and password for the database). In a worst-case scenario, an attacker could use the disclosed database credentials to achieve complete database takeover, leading to full compromise of the WordPress site and its data. [1]

Mitigation

As of the time of this advisory, no fixed version has been released. The vendor (Patchstack) recommends updating the affected plugin as an immediate action. If an update is not available, users should contact their hosting provider or web developer for assistance. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should monitor the theme's update channel for a patch. [1]