ThemeMove Unicamp is vulnerable to Local File Inclusion (LFI), allowing an attacker to read sensitive files or potentially execute arbitrary code on the server.

This is a Local File Inclusion (LFI) vulnerability caused by improper control of filenames in PHP include or require statements. An attacker can manipulate input parameters to force the application to include local files, potentially leading to the disclosure of sensitive configuration files like wp-config.php.

Successful exploitation allows an attacker to access sensitive server-side files, which can contain database credentials or system configurations. With a CVSS score of 7.5, this vulnerability could escalate to full remote code execution (RCE) if the attacker can upload or find a way to execute a malicious file, resulting in a total system compromise.

Immediate Action: Update the ThemeMove Unicamp theme to the latest version immediately to patch the insecure PHP inclusion logic.

Proactive Monitoring: Scan web server logs for directory traversal patterns (e.g., ../../etc/passwd) in URL parameters.

Compensating Controls: Disable allow_url_include in the PHP configuration and use a WAF to filter out common LFI attack strings.

Public Exploit Available: false

The severity of LFI vulnerabilities cannot be overstated, as they often serve as the first step in a multi-stage attack. You must apply the theme update immediately to prevent unauthorized file access and potential server takeover.