Description
Path Traversal: '.../...//' vulnerability in Frenify Arlo arlo allows PHP Local File Inclusion.This issue affects Arlo: from n/a through <= 6.0.3.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw in the Frenify Arlo WordPress theme that permits PHP Local File Inclusion. By supplying a crafted path containing sequences like .../...//, an attacker may force the theme to include arbitrary local files. This can allow the disclosure of sensitive site data or execution of malicious code within the WordPress environment.

Affected Systems

The flaw affects the Frenify Arlo WordPress theme up to and including version 6.0.3. WordPress sites deploying any of these versions are susceptible. No other vendors or products are explicitly enumerated in the CVE.

Risk and Exploitability

The CVSS score of 8.1 rates the flaw as high severity, while the EPSS score is under 1%, indicating a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based request to the affected theme’s PHP entry points, and the weakness originates from insufficient validation of path components as described by CWE‑35.

Generated by OpenCVE AI on April 30, 2026 at 17:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Frenify Arlo theme to version 6.0.4 or later to remove the path traversal flaw.
  • If upgrading is not immediately feasible, configure the web server or application to reject or sanitize path traversal sequences when accessing the theme’s PHP files.
  • Deploy a web application firewall or logging rule to detect and block attempts to exploit file inclusion via traversal attacks.

Generated by OpenCVE AI on April 30, 2026 at 17:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17512 Path Traversal vulnerability in Frenify Arlo allows PHP Local File Inclusion. This issue affects Arlo: from n/a through 6.0.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in Frenify Arlo allows PHP Local File Inclusion. This issue affects Arlo: from n/a through 6.0.3. Path Traversal: '.../...//' vulnerability in Frenify Arlo arlo allows PHP Local File Inclusion.This issue affects Arlo: from n/a through <= 6.0.3.
Title WordPress Arlo <= 6.0.3 - Local File Inclusion Vulnerability WordPress Arlo theme <= 6.0.3 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00061}

 epss

{'score': 0.00067}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in Frenify Arlo allows PHP Local File Inclusion. This issue affects Arlo: from n/a through 6.0.3.
Title WordPress Arlo <= 6.0.3 - Local File Inclusion Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.366Z

Reserved: 2025-04-16T06:23:43.558Z

Link: CVE-2025-39475

cve-icon Vulnrichment

Updated: 2025-06-10T13:39:26.192Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:40.230

Modified: 2026-04-23T15:29:38.037

Link: CVE-2025-39475

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:14Z

Weaknesses