XStore WordPress Theme Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the XStore theme for WordPress, affecting all versions through 9.5.4. The issue arises in the 'theet_ajax_required_plugins_popup()' function, allowing authenticated attackers with Subscriber-level access and above to include and execute arbitrary PHP files on the server. This vulnerability could be exploited to bypass access controls, access sensitive data, or execute code in scenarios where PHP files can be uploaded and included.
Impact
Exploitation of this vulnerability could lead to unauthorized execution of PHP code on the server, potentially allowing attackers to bypass access controls, access sensitive information, or execute malicious code, especially in cases where uploaded PHP files can be included and executed.
Remediation
Users are advised to update the XStore theme to version 9.6 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.