WordPress Putter theme <= 1.17 - Local File Inclusion vulnerability

Vulnerability

The Putter theme for WordPress versions up to and including 1.17 contains an unauthenticated local file inclusion vulnerability [1]. The exact file inclusion mechanism is not publicly detailed, but the bug allows an attacker to include arbitrary local files from the server, exposing their contents [1]. The vulnerability requires no authentication or special configuration to be reachable.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable WordPress site [1]. No authentication or user interaction is required, making the attack easy to automate. Advisory sources note that such vulnerabilities are actively used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows the attacker to read arbitrary local files on the server, including sensitive configuration files that may contain database credentials, API keys, or other secrets [1]. This information disclosure could lead to complete database compromise or further lateral attacks, depending on the server's configuration [1]. The impact is limited to information disclosure; remote code execution is not directly achieved.

Mitigation

As of the publication date, no patched version of the Putter theme has been announced [1]. Users should immediately update to the latest version of the theme if a fixed release exists, or disable the theme and replace it with an alternative [1]. If unable to update, consult a web developer or hosting provider for assistance. The vulnerability is listed in the Patchstack database with a CVSS score of 8.1, indicating high severity [1].