WordPress Truemag theme <= 4.3.14.2 - Local File Inclusion vulnerability

Vulnerability

The Truemag WordPress theme versions up to and including 4.3.14.2 contain an unauthenticated Local File Inclusion (LFI) vulnerability. This flaw allows a remote attacker to include arbitrary local files from the server without requiring any authentication. The vulnerable code path is reachable through a publicly accessible endpoint, although the specific parameter is not disclosed in the available references [1].

Exploitation

An attacker exploits this vulnerability by sending a crafted HTTP request to the affected endpoint with a file path as input. No authentication, user interaction, or special privileges are required. The attack can be performed remotely over the network, making it trivially exploitable. Patchstack notes that this vulnerability is expected to become exploited in mass campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows the attacker to read the contents of any local file on the web server, such as configuration files, database credentials (wp-config.php), and other sensitive data. With access to database credentials, an attacker could potentially achieve a complete database takeover, leading to full compromise of the WordPress site [1]. The confidentiality of the system is critically impacted, and further escalation is possible depending on the exposed information.

Mitigation

The vendor has released a fix; users must update the Truemag theme to a version later than 4.3.14.2. If immediate update is not possible, users should consult their hosting provider or web developer for assistance. The vulnerability is listed as highly dangerous and likely to be exploited in automated attacks, so prompt remediation is essential [1].