CVE-2026-57800
Edge-Themes · Overworld
The Overworld WordPress theme is affected by a Local File Inclusion (LFI) vulnerability resulting from insecure handling of filenames in PHP include/require operations.
Executive summary
A high-severity Local File Inclusion vulnerability in the Edge-Themes Overworld WordPress theme permits authenticated attackers to access sensitive files and potentially execute arbitrary code.
Vulnerability
Classified under CWE-98, this vulnerability allows an authenticated attacker to manipulate input parameters that are subsequently used in file inclusion functions. This lack of input validation enables the inclusion of arbitrary local files, which can be leveraged to compromise the web application's security posture.
Business impact
With a CVSS score of 7.5, this vulnerability represents a substantial risk of unauthorized data access and potential remote code execution. Exploitation could lead to the exposure of critical configuration files, database credentials, or internal site structures, severely impacting the availability and confidentiality of business-critical web assets.
Remediation
Immediate Action: As there is no current patch, administrators must deactivate the Overworld theme immediately to prevent potential exploitation.
Proactive Monitoring: Implement enhanced logging to track unusual request patterns that deviate from normal site usage, specifically targeting file inclusion attempts.
Compensating Controls: Deploy WAF rules designed to identify and block directory traversal attempts, providing a layer of defense while awaiting an official theme update.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The absence of a patch necessitates a proactive removal of the vulnerable theme from production environments. Organizations should treat this as a high-priority risk and implement strict access controls to the WordPress dashboard until a secure version is available for deployment.