WordPress Spike theme <= 1.2 - Local File Inclusion vulnerability

Vulnerability

The Spike theme for WordPress, versions 1.2 and earlier, contains an unauthenticated Local File Inclusion (LFI) vulnerability. This allows an attacker to include arbitrary local files from the server without requiring any authentication. The vulnerability is present in the theme's file handling logic, which fails to properly sanitize user-supplied input [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable WordPress site, specifying a path to a local file. No authentication or prior access is needed. The attack can be performed remotely over the network. The exact parameter or endpoint is not detailed in the available reference, but typical LFI vectors involve manipulating file inclusion parameters in theme templates [1].

Impact

Successful exploitation allows an attacker to read the contents of arbitrary files on the server, including sensitive files such as wp-config.php which contains database credentials. This could lead to complete database takeover and full compromise of the WordPress installation. The CVSS score is 8.1 (High), and the vulnerability is expected to be used in mass-exploit campaigns [1].

Mitigation

Users are advised to update the Spike theme to the latest available version. If a patched version is not yet available, consider removing the theme or implementing a Web Application Firewall (WAF) rule to block LFI attempts. As of the advisory date, no specific fixed version has been announced, but immediate action is recommended due to the high risk of exploitation [1].