Description
Unauthenticated Local File Inclusion in Geya <= 1.15 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker can trigger a local file inclusion flaw in the Geya WordPress theme up to version 1.15. The vulnerability allows reading arbitrary files from the server’s file system, which could expose configuration files, stored credentials, or other sensitive information that may aid further attacks. This weakness is classified as CWE-98.

Affected Systems

The issue affects the Geya theme from ThemeREX Group, specifically all releases up to and including 1.15 when used in a WordPress environment.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending a specially crafted request that causes the theme to include a local file path, and no authentication is required. While the potential to read sensitive files is significant, the concrete impact depends on the attacker’s ability to locate valuable files within the site’s file system.

Generated by OpenCVE AI on June 17, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Geya theme to version 1.16 or later, which removes the vulnerable inclusion mechanism.
  • If an upgrade is not possible, disable or remove the Geya theme to eliminate the attack surface.
  • Implement WAF rules or server‑side restrictions that block or sanitize local file inclusion attempts, such as filtering the include path or setting the PHP directive `allow_url_include` to Off and restricting file permissions for the theme directory.

Generated by OpenCVE AI on June 17, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex Group
Themerex Group geya
Wordpress
Wordpress wordpress
Vendors & Products Themerex Group
Themerex Group geya
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Geya <= 1.15 versions.
Title WordPress Geya theme <= 1.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Group Geya
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:54:25.371Z

Reserved: 2025-09-06T04:44:31.841Z

Link: CVE-2025-58924

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:33Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')