CVE-2026-57790

ThemeMove · Billey

A Local File Inclusion (LFI) vulnerability in the Billey WordPress theme allows authenticated users with low privileges to include arbitrary local files.

Executive summary

The Billey WordPress theme is vulnerable to Local File Inclusion, which could allow an authenticated attacker to access sensitive server files.

Vulnerability

This vulnerability is a PHP Local File Inclusion (CWE-98) flaw occurring due to improper validation of filenames in include/require statements. It requires the attacker to have at least low-level authenticated access to the WordPress instance.

Business impact

With a CVSS score of 7.5 (High), this vulnerability poses a severe risk to the confidentiality and integrity of the affected website. Successful exploitation could allow an attacker to bypass security restrictions to read sensitive server-side files, potentially leading to further compromise of the web server.

Remediation

Immediate Action: No patch is currently available; administrators should deactivate the Billey theme until a secure update is released by the vendor.

Proactive Monitoring: Monitor site traffic and server logs for signs of path traversal attempts, particularly those targeting core system or configuration files.

Compensating Controls: Utilize a Web Application Firewall (WAF) to inspect and block incoming requests containing malicious path traversal strings.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Due to the high-risk nature of this LFI vulnerability, administrators must act quickly. In the absence of a vendor patch, deactivating the Billey theme is the only effective way to prevent potential exploitation until the developer releases a secure version.