Quirky
Monthly
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.