Copypress
Monthly
Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.
Unauthenticated local file inclusion in the CopyPress WordPress theme (ThemeREX) through version 1.4.5 lets remote attackers coerce the PHP include/require chain into loading arbitrary server-side files without credentials. Patchstack catalogued the flaw as CWE-98 with CVSS 8.1, and no public exploit identified at time of analysis. Successful exploitation can expose sensitive files such as wp-config.php and, depending on the include sink, escalate to PHP code execution.