ThemeREX Tuning WordPress Theme Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the ThemeREX Tuning WordPress theme, specifically in versions through 1.3. This vulnerability arises from improper control of filenames in include or require statements, allowing PHP remote file inclusion that could be exploited for local file inclusion instead. An unauthenticated user could potentially leverage this vulnerability to include local files from the server, such as those containing sensitive information like database credentials, which could lead to a complete takeover of the database, depending on the server's configuration.

Impact

Exploitation of this vulnerability could allow an attacker to include and execute local files on the server, potentially leading to the disclosure of sensitive information or unauthorized access to system resources. In this case, it could allow access to database credentials, with the possibility of taking over the entire database.

Remediation

Users are advised to update to a version of the ThemeREX Tuning WordPress theme that is later than 1.3. Patchstack has also issued a mitigation rule to block attacks targeting this vulnerability until an official patch can be applied.