A Local File Inclusion vulnerability in the Splash Sport Club WordPress theme allows authenticated contributors to potentially read sensitive server files.

This is a Local File Inclusion (LFI) vulnerability residing in the theme, which allows an authenticated user with "Contributor" level access to include arbitrary files from the server, potentially leading to information disclosure.

The CVSS score of 7.5 reflects the high risk posed by LFI vulnerabilities, which can lead to the exposure of configuration files, database credentials, and sensitive source code. If successfully exploited, an attacker could gain sufficient information to escalate privileges or fully compromise the underlying WordPress installation, resulting in data theft and site defacement.

Immediate Action: Update the Splash theme to the latest patched version provided by the vendor. If an update is unavailable, consider disabling the theme until a secure version is released.

Proactive Monitoring: Audit WordPress user roles to ensure only trusted individuals hold "Contributor" or higher privileges, and monitor server access logs for path traversal attempts.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block common LFI patterns and directory traversal attempts directed at the WordPress environment.

Public Exploit Available: false

Security teams must prioritize updating this theme to mitigate the risk of file disclosure. While this vulnerability requires contributor-level authentication, the potential for sensitive information leakage makes it a significant threat to the security posture of the WordPress application.