WordPress Metro Theme Local File Inclusion Vulnerability
Vulnerability
A local file inclusion vulnerability has been identified in the WordPress Metro theme, specifically in versions through 2.13. This issue arises from improper control of filenames in include or require statements, allowing for the inclusion of local files on the server. Such inclusion could potentially be exploited to access sensitive files, like those containing database credentials, which might lead to a complete takeover of the database, depending on the site's configuration.
Impact
Exploitation of this vulnerability could allow a malicious actor to include local files from the server and display their contents. This could be used to access sensitive information, such as database credentials, and potentially compromise the entire database.
Remediation
Users of the WordPress Metro theme are advised to update to a version later than 2.13. Patchstack has also issued a mitigation rule to block attacks targeting this vulnerability until an official patch can be applied.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.