WordPress Choreo theme <= 1.6 - Local File Inclusion vulnerability

Vulnerability

The Choreo WordPress theme versions up to and including 1.6 contain an unauthenticated Local File Inclusion (LFI) vulnerability. The flaw allows an attacker to include arbitrary local files from the server without requiring any authentication or special privileges. The vulnerable code path is reachable via a crafted HTTP request to a specific endpoint within the theme.

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted request to the vulnerable endpoint. No authentication, user interaction, or prior access is needed. The attack is performed over the network and does not require any special position. According to the reference [1], this vulnerability is already being used in mass-exploit campaigns, indicating that exploitation is straightforward and automated.

Impact

Successful exploitation allows an attacker to read arbitrary files from the server's filesystem. This includes sensitive files such as wp-config.php, which typically contains database credentials (username, password, host). With these credentials, an attacker could potentially gain full control of the website's database, leading to data theft, modification, or further compromise of the WordPress installation. The primary impact is on confidentiality, with potential escalation to integrity and availability depending on the attacker's actions.

Mitigation

The recommended mitigation is to update the Choreo theme to a version newer than 1.6. The reference [1] states that immediate action is required, and if unable to update, users should contact their hosting provider or web developer for assistance. No other workarounds are provided. The vulnerability is listed as highly dangerous and expected to become widely exploited.