WordPress Getaway theme < 1.8 - Local File Inclusion vulnerability

Vulnerability

The Getaway WordPress theme versions prior to 1.8 contain an unauthenticated Local File Inclusion (LFI) vulnerability. The flaw resides in a file inclusion mechanism that does not properly validate user-supplied input, allowing an attacker to specify arbitrary file paths without requiring any authentication. The code path is reachable under default configuration; no special settings are needed to trigger the vulnerability [1].

Exploitation

An attacker can exploit this vulnerability from any network position by sending a crafted HTTP request to the vulnerable endpoint. No authentication or user interaction is required. The attacker simply includes a path to a local file (e.g., /etc/passwd or wp-config.php) in the request parameter, and the server includes and outputs the contents of that file [1].

Impact

Successful exploitation allows an attacker to read arbitrary local files on the target server. This can expose sensitive information such as database credentials, site configuration, and other secrets stored in files on the web server. In many cases, leaked database credentials (found in wp-config.php) can enable a full database takeover, potentially leading to complete administrative control over the WordPress site [1].

Mitigation

Users must update the Getaway theme to version 1.8 or later, which contains the fix for this vulnerability. As of the publication date (2026-06-16), no other workaround has been documented. Site owners unable to update immediately are advised to consult their hosting provider or apply a virtual patch or Web Application Firewall (WAF) rule to block LFI attempts [1].