CVE-2026-57796

VLThemes · Leedo

The Leedo WordPress theme contains a Local File Inclusion (LFI) vulnerability due to improper control of filenames in include/require statements, allowing unauthorized file access.

Executive summary

A Local File Inclusion vulnerability in the Leedo WordPress theme allows authenticated attackers to read sensitive files on the server, posing a high security risk.

Vulnerability

This is a Local File Inclusion (LFI) flaw (CWE-98) occurring within the theme's file handling logic. The vulnerability requires the attacker to have low-level privileges (authenticated) to trigger the malicious inclusion.

Business impact

Exploitation of this vulnerability could allow attackers to bypass security controls to read sensitive system files, potentially leading to unauthorized data disclosure or escalation of privileges. The CVSS score of 7.5 highlights the severe impact on confidentiality and system integrity, necessitating an urgent response.

Remediation

Immediate Action: As no patch is currently available, administrators should immediately deactivate the Leedo theme until a secure update is released by the vendor.

Proactive Monitoring: Monitor server logs for suspicious activity, particularly requests that attempt to access files outside the expected document root.

Compensating Controls: Utilize a Web Application Firewall (WAF) to block requests that match known directory traversal patterns frequently used in LFI attacks.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Due to the high-risk nature of this LFI vulnerability, immediate deactivation of the Leedo theme is the most effective way to secure the environment. Ensure that all security patches from the vendor are applied as soon as they become available and continue to monitor for any signs of unauthorized file access.