Case Themes Case Theme User Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the WordPress Case Theme User plugin, affecting versions prior to 1.0.4. This vulnerability arises from improper control of filenames in include or require statements, allowing for PHP remote file inclusion. Exploitation of this issue could enable attackers to include local files from the target website and display their contents, potentially leading to the exposure of sensitive information such as database credentials.

Impact

Successful exploitation could allow a malicious actor to include local files from the server, with the included file's output being displayed on the website. This could lead to the exposure of sensitive information, such as database credentials, which could then be used to compromise the entire database, depending on the configuration.

Remediation

Users of the WordPress Case Theme User plugin should update to version 1.0.4 or later. Patchstack users can enable auto-updates for vulnerable plugins.