Boo v2.5 Theme by Themerella suffers from a local file include vulnerability.


get_template_part can be used to include any file, the function for whatever reason does not check that the file to be included is at least located in the theme folder. If somebody controls the first parameter, then it can include any .php file.

The Boo Theme v2.5 in single.php takes a user supplied $_GET parameter and calls get_template_part:

if( current_theme_supports( 'theme-demo' ) && !empty( $_GET['ps'] ) ) {  
    $style = $_GET['ps'];
get_template_part( 'templates/blog/single/' . $style );  

Exploiting this issue is pretty simple, just find a blog post URL and add the ps parameter to it.

Boo Theme Local File Include Exploit POC  

Impact 3/10

The Boo theme has only about 2000 sales, and one would need access to the local file system to turn this into a RCE


26 - 12 - 2017 - Vulnerability discovered.  
26 - 12 - 2017 - Vendor notified.  
26 - 07 - 2017 - Vendor does not acknowledges the issue.  
02 - 01 - 2018 - Vulnerability goes public.