WordPress Theme LuxMed Local File Inclusion (LFI) Vulnerability Advisory

Vulnerability Overview Vulnerability Name: Local File Inclusion (LFI) Priority: High Priority Affected Versions: <= 1.2.2 Official Patch: No official patch available Impact Scope Risk Level: CVSS 8.1 Description: This vulnerability is highly dangerous and expected to be exploited. Similar vulnerabilities are frequently used in large-scale attack campaigns, allowing attackers to target tens of thousands of websites simultaneously, regardless of their traffic volume or popularity. Specific Impact: Allows malicious actors to include local files from the target website and output them to the screen. Files storing credentials (such as database credentials) may be leaked, potentially leading to database takeover depending on the configuration. Remediation Recommended Actions: Immediately update the affected plugin. If an update is not possible, contact your hosting provider or website developer for assistance. Patchstack Solution: Patchstack has released mitigation rules that can block any attacks prior to the availability of an official patch, allowing for testing and secure deployment. Details Software: LuxMed Type: Theme Affected Versions: <= 1.2.2 CVSS Score: 8.1 Reporter: Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) Report Date: October 16, 2026 Timeline Report Date: October 16, 2026 Additional Information Patchstack Services: Provides the fastest vulnerability mitigation services to ensure website security. Subscription: You can subscribe to weekly WordPress security intelligence. Code Block POC Code / Exploit Code: No specific POC code or exploit code is provided on the page. Summary This is a high-priority Local File Inclusion (LFI) vulnerability affecting versions <= 1.2.2 of the LuxMed

Goal Reached Thanks to every supporter — we hit 100%!

WordPress Theme LuxMed Local File Inclusion (LFI) Vulnerability Advisory