WordPress Top Dog theme <= 1.0.5 - Local File Inclusion vulnerability

Vulnerability

The Top Dog WordPress theme versions up to and including 1.0.5 are vulnerable to an unauthenticated Local File Inclusion (LFI) attack. The vulnerability allows an attacker to include arbitrary local files from the server without requiring any authentication or user interaction. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable theme, specifying a path to a local file. No authentication is needed, and the attack can be carried out remotely. The exact parameter or endpoint is not publicly detailed, but the advisory confirms the unauthenticated nature of the flaw. [1]

Impact

Successful exploitation enables an attacker to read sensitive files on the server, such as wp-config.php which contains database credentials. This could lead to complete database compromise and further escalation depending on the server configuration. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns. [1]

Mitigation

Users should update the Top Dog theme to a patched version (1.0.6 or later) as soon as it becomes available. If no patch is released, consider disabling or removing the theme, or implementing a Web Application Firewall (WAF) rule to block LFI attempts. The advisory recommends immediate action due to the risk of widespread exploitation. [1]