Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes EasyEat easyeat allows PHP Local File Inclusion.This issue affects EasyEat: from n/a through <= 1.9.0.
The vulnerability results from improper control of the filename passed to the include/require instruction in the theme's PHP code. An attacker can manipulate the input parameter to point to any file locally accessible on the server. Authentication or user interaction is not required — the exploit can be carried out remotely over the network with minimal complexity.
An attacker can read sensitive system or configuration files (e.g., database credentials) and, under favorable conditions, execute malicious PHP code leading to complete server compromise.
The EasyEat theme should be updated to a version higher than 1.9.0. If an update is not available, the theme should be immediately disabled and information from the vendor and Patchstack database should be reviewed at the address indicated in the references.
WordPress EasyEat theme (AncoraThemes) in versions from n/a to 1.9.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H