CVE-2026-57793

Elated-Themes · Flow

The Flow WordPress theme is susceptible to Local File Inclusion (LFI) due to insufficient input validation when handling filenames in include/require statements.

Executive summary

A Local File Inclusion vulnerability in the Elated-Themes Flow WordPress theme allows authenticated attackers to potentially compromise the application by accessing or executing arbitrary files.

Vulnerability

This vulnerability (CWE-98) allows an authenticated attacker to influence file inclusion operations. This permits the inclusion of unauthorized local files, which can lead to server-side code execution or the disclosure of sensitive application information.

Business impact

The exploitation of this flaw poses a high risk to business operations, as it can lead to unauthorized data access and total system compromise. The CVSS score of 7.5 highlights the severe impact on the application's security posture and the necessity for immediate defensive action.

Remediation

Immediate Action: As no patch is available, administrators are advised to deactivate the Flow theme to eliminate the attack vector until a secure version is released.

Proactive Monitoring: Review application logs for evidence of directory traversal or unauthorized include attempts, particularly those originating from authenticated user sessions.

Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block malicious payloads intended to exploit LFI vulnerabilities in the theme's code.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Given the high severity of this LFI vulnerability and the current lack of a patch, immediate deactivation of the affected theme is the most effective temporary control. Administrators must monitor for vendor updates and apply them immediately to ensure long-term security.