Zagg Electronics and Accessories WooCommerce WordPress Theme Unauthenticated Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the Zagg - Electronics & Accessories WooCommerce WordPress Theme, affecting all versions through 1.4.1. The issue arises in the load_view() function, which is accessed via several AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product'. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially executing PHP code contained in those files. Exploitation could bypass access controls, access sensitive data, or enable code execution in scenarios where images and other 'safe' file types can be uploaded and included.

Impact

Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially in cases where uploaded files can be included and executed.

Remediation

No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected theme.