CVE-2026-57799

uxper · Nuss

The Nuss WordPress theme contains a Local File Inclusion (LFI) vulnerability that allows authenticated attackers to include arbitrary local files via improper filename handling.

Executive summary

A high-severity Local File Inclusion vulnerability in the uxper Nuss WordPress theme enables authenticated attackers to access sensitive server files or execute arbitrary code.

Vulnerability

This flaw, identified as CWE-98, stems from the theme's failure to sanitize inputs passed to PHP include/require statements. An attacker with low-level privileges can exploit this to perform Local File Inclusion, which may lead to the exposure of sensitive system information or server-side code execution.

Business impact

The CVSS score of 7.5 highlights the potential for severe impact, including the compromise of site integrity and the potential for full server takeover. By accessing sensitive files, attackers could escalate their access, bypass authentication mechanisms, or exfiltrate proprietary data, resulting in significant reputational and operational damage.

Remediation

Immediate Action: No patch is currently available; administrators should deactivate the Nuss theme and switch to a secure alternative until the vendor releases a remediated version.

Proactive Monitoring: Review web server logs for suspicious activity, specifically looking for attempts to access non-public directories or system files via the theme's parameters.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter and block malicious requests attempting to traverse the file system through theme-related URI parameters.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given that no official fix has been issued, immediate removal or deactivation of the affected theme is required to mitigate the risk of compromise. Security teams should verify that no unauthorized accounts are currently active and monitor for any signs of exploitation until the vendor provides a validated patch.