CVE-2026-57791

ThemeMove · Brook

The Brook WordPress theme is vulnerable to Local File Inclusion (LFI) due to improper control of filenames used in include/require statements.

Executive summary

A Local File Inclusion vulnerability in the ThemeMove Brook WordPress theme allows authenticated attackers to potentially execute arbitrary code or access sensitive server files.

Vulnerability

This is a Local File Inclusion (LFI) vulnerability (CWE-98) where an authenticated user with low privileges can manipulate file paths in include/require statements. The vulnerability requires high attack complexity but allows for significant impact on system integrity and confidentiality.

Business impact

Successful exploitation of this flaw can lead to unauthorized access to sensitive configuration files or the execution of arbitrary PHP code on the server. Given the CVSS score of 7.5, this vulnerability is categorized as High severity, posing a significant risk to the confidentiality and integrity of the affected WordPress environment.

Remediation

Immediate Action: As no official patch is currently available, administrators should immediately disable or remove the affected theme if it is not business-critical.

Proactive Monitoring: Review web server access logs for suspicious requests containing path traversal sequences or unexpected file inclusions.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block common LFI patterns and path traversal attempts targeting the WordPress theme directory.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Due to the lack of an available security patch, users of the Brook theme must prioritize risk mitigation through temporary deactivation or the implementation of strict WAF filtering. Organizations should monitor vendor communications closely for the release of a patched version and apply it immediately upon availability.