Description
Path Traversal: '.../...//' vulnerability in Mikado-Themes GrandPrix grandprix allows PHP Local File Inclusion.This issue affects GrandPrix: from n/a through <= 1.6.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Based on the description, the vulnerability originates from a Path Traversal flaw (CWE‑35) that allows attackers to craft URLs containing sequences such as ".../...//" to include arbitrary local files in PHP scripts. This local file inclusion can lead to unintended disclosure of sensitive information or execution of malicious code if an attacker can place or access a controllable file on the server. The issue is confined to the GrandPrix theme’s handling of file paths and does not involve remote code execution directly, but the potential for code execution exists if the attacker controls the content of the included file.

Affected Systems

Any WordPress site that has installed the Mikado‑Themes GrandPrix theme with a version number of 1.6 or earlier. The vulnerability is present from the earliest version through 1.6; versions released after 1.6 are unaffected.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is considered high severity. The EPSS score is below 1 %, indicating a very low probability of exploitation in the wild at the time of analysis. It is not listed in the CISA KEV catalog, suggesting no known mass exploitation campaigns. Based on the description, it is inferred that the likely attack vector is visiting a URL that triggers the vulnerable path traversal, so the attackability is relatively straightforward for an attacker with access to the site’s public interface.

Generated by OpenCVE AI on April 30, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the GrandPrix theme to the latest non‑vulnerable version (1.7 or newer).
  • If an immediate upgrade is not possible, deactivate or remove the theme entirely to eliminate the attack surface.
  • Install a WordPress security plugin that hardens file permissions and blocks path traversal attempts to provide a temporary defense until the theme can be updated.

Generated by OpenCVE AI on April 30, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17550 Path Traversal vulnerability in Mikado-Themes GrandPrix allows PHP Local File Inclusion. This issue affects GrandPrix: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in Mikado-Themes GrandPrix allows PHP Local File Inclusion. This issue affects GrandPrix: from n/a through 1.6. Path Traversal: '.../...//' vulnerability in Mikado-Themes GrandPrix grandprix allows PHP Local File Inclusion.This issue affects GrandPrix: from n/a through <= 1.6.
Title WordPress GrandPrix <= 1.6 - Local File Inclusion Vulnerability WordPress GrandPrix theme <= 1.6 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive grandprix
CPEs cpe:2.3:a:qodeinteractive:grandprix:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive grandprix

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00061}

 epss

{'score': 0.00067}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Path Traversal vulnerability in Mikado-Themes GrandPrix allows PHP Local File Inclusion. This issue affects GrandPrix: from n/a through 1.6.
Title WordPress GrandPrix <= 1.6 - Local File Inclusion Vulnerability
Weaknesses CWE-35
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Qodeinteractive Grandprix
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.451Z

Reserved: 2025-06-04T09:41:51.340Z

Link: CVE-2025-49296

cve-icon Vulnrichment

Updated: 2025-06-09T19:25:40.299Z

cve-icon NVD

Status : Modified

Published: 2025-06-09T16:15:46.540

Modified: 2026-04-23T15:31:24.823

Link: CVE-2025-49296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses