WordPress Mr. SEO theme <= 2.0 - Local File Inclusion vulnerability

Vulnerability

The Mr. SEO WordPress theme versions 2.0 and earlier contain an unauthenticated Local File Inclusion (LFI) vulnerability. An attacker can include arbitrary local files from the server without requiring any authentication or user interaction. The vulnerability is present in the theme's file handling logic, allowing inclusion of files such as configuration files containing database credentials. [1]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint. No authentication is needed, and the attack can be performed remotely over the network. The attacker simply needs to manipulate a parameter that controls file inclusion to point to a local file path. The file's contents are then displayed in the response. [1]

Impact

Successful exploitation allows an unauthenticated attacker to read sensitive local files from the server, including files that store database credentials. This could lead to complete database compromise depending on the server configuration. The vulnerability is considered highly dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites. [1]

Mitigation

The vulnerability is fixed in version 2.1 of the Mr. SEO theme. Users are advised to update to version 2.1 or later immediately. If unable to update, a mitigation rule is available from Patchstack to block attacks until the update is applied. [1]