GoalThemes Lindo WordPress Theme Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the GoalThemes Lindo WordPress theme, specifically in versions through 1.2.5. This vulnerability arises from improper control of filenames in include or require statements, allowing for the inclusion of local files on the server. Such inclusion could be exploited to read sensitive files, potentially leading to a complete takeover of the database, depending on the site's configuration.

Impact

Exploitation of this vulnerability could allow an attacker to include and execute local files on the server, with the possibility of accessing sensitive information such as database credentials. In some cases, this could lead to a full compromise of the database.

Remediation

Users are advised to update to a version of the GoalThemes Lindo WordPress theme that is later than 1.2.5. For those using Patchstack, a mitigation rule has been issued to block attacks targeting this vulnerability.