Kallyas WordPress Theme Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the Kallyas theme for WordPress, affecting all versions through 4.21.0. The vulnerability arises in the 'TH_LatestPosts4' widget, allowing authenticated attackers with Contributor-level access and above to include and execute arbitrary PHP files on the server. This exploitation could bypass access controls, access sensitive data, or execute code in scenarios where PHP files can be uploaded and included.
Impact
Exploitation of this vulnerability could lead to unauthorized file inclusion, allowing attackers to execute arbitrary PHP code on the server. This could be used to bypass access controls, access sensitive information, or execute malicious code, especially in cases where uploaded PHP files can be included and executed.
Remediation
Users are advised to update the Kallyas WordPress theme to version 4.22.0 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.