WordPress ITactics theme <= 1.0 - Local File Inclusion vulnerability

Vulnerability

The ITactics WordPress theme versions 1.0 and earlier contain an unauthenticated Local File Inclusion (LFI) vulnerability [1]. An attacker can exploit this flaw without any authentication or user interaction. The vulnerability allows inclusion of arbitrary local files from the server, which are then displayed in the response.

Exploitation

An attacker can send a crafted HTTP request to the vulnerable endpoint, specifying a path to a local file. No authentication or special privileges are required. The attacker only needs network access to the target website. The file inclusion occurs without any user interaction, making it easy to automate in mass-exploit campaigns [1].

Impact

Successful exploitation allows an attacker to read sensitive files on the server, such as wp-config.php which contains database credentials. This could lead to complete database takeover if the credentials are exposed. The impact is high due to the potential for information disclosure and subsequent compromise of the entire WordPress installation [1].

Mitigation

As of the publication date, no patched version of the ITactics theme has been released. Users are advised to remove the theme from their WordPress installation or implement a Web Application Firewall (WAF) rule to block file inclusion attempts. Immediate action is recommended as this vulnerability is expected to be exploited in mass campaigns [1].