CVE-2026-57743

stmcan · RT-Theme 18 | Extensions

A local file inclusion vulnerability in the RT-Theme 18 | Extensions WordPress plugin allows unauthenticated attackers to potentially read or execute arbitrary files on the server.

Executive summary

An unauthenticated local file inclusion vulnerability in the stmcan RT-Theme 18 | Extensions plugin presents a critical risk of full site compromise.

Vulnerability

The plugin suffers from an improper control of filenames used in include/require statements (CWE-98). Because this vector is accessible without authentication, it allows an attacker to influence the file path, potentially leading to sensitive data disclosure or remote code execution.

Business impact

With a CVSS score of 8.1, this vulnerability represents a high risk to the confidentiality, integrity, and availability of the affected WordPress site. An attacker can leverage this flaw to read sensitive system files or execute arbitrary code, which could result in data theft or the permanent loss of control over the application.

Remediation

Immediate Action: Immediately deactivate or remove the RT-Theme 18 | Extensions plugin from the production environment until a verified patch is provided by the vendor.

Proactive Monitoring: Monitor server logs for unusual URL patterns or requests containing directory traversal sequences that might indicate an attempt to exploit the file inclusion flaw.

Compensating Controls: Implement WAF rules to sanitize and block requests that attempt to traverse directories or include unauthorized file types within the application parameters.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the absence of authentication requirements and the potential for remote code execution, this vulnerability should be treated with extreme urgency. Deactivation is the recommended course of action until the vendor supplies a secure version.