Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through <= 1.0.0.
The vulnerability results from improper validation of the filename passed to include/require instructions in the theme's PHP code (CWE-98). An attacker can provide crafted input that manipulates the path of the included file, forcing the server to load any local file. This can lead to reading sensitive system files or executing malicious code if the attacker has previously gained the ability to place a file on the server.
An attacker can read sensitive files from the server (e.g., database configuration, credentials) and potentially execute remote code, leading to complete system takeover — compromising confidentiality, integrity, and availability.
Apply patches available from the vendor according to the references. Until the update is applied, it is recommended to deactivate the theme or restrict access to the website. Detailed information is available in the Patchstack database.
WordPress theme 'Healer - Doctor, Clinic & Medical WordPress Theme' by ThemeREX, versions from n/a to 1.0.0 inclusive.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H