WordPress Medeus theme <= 1.14 - Local File Inclusion vulnerability

Vulnerability

The Medeus WordPress theme versions up to and including 1.14 contain an unauthenticated Local File Inclusion (LFI) vulnerability. No authentication or special permissions are required to trigger the vulnerable code path. The flaw resides in the theme's file inclusion mechanism, allowing remote inclusion of arbitrary local files without prior authentication [1].

Exploitation

An attacker can exploit this by sending a crafted HTTP request to the vulnerable WordPress site using the Medeus theme. No authentication is needed; the attacker only requires network access to the target. The specific request parameters manipulate file inclusion to read local files on the server [1].

Impact

Successful exploitation allows the attacker to read arbitrary files from the server's filesystem. This includes sensitive files such as wp-config.php (containing database credentials), which could lead to complete database takeover. The information disclosure can compromise the entire WordPress installation and potentially the underlying server [1].

Mitigation

The vulnerability affects Medeus theme versions 1.14 and earlier. The recommended mitigation is to update the theme to the latest patched version as soon as it becomes available. Since the vulnerability is expected to be used in mass-exploit campaigns, immediate action is critical. If unable to update, consult a hosting provider or developer for assistance [1].