Description
Unauthenticated Local File Inclusion in Neuronet < 1.14.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Neuronet WordPress theme versions prior to 1.14.0 contain an unauthenticated local file inclusion flaw that can be exploited by manipulating a parameter that is not properly validated before being passed to an include operation. An attacker with access to the site can request arbitrary files from the server’s file system, potentially exposing configuration data, credentials, or code. If an executable file is included, remote code execution on the host may be achieved.

Affected Systems

All WordPress sites that use the Neuronet theme from ThemeREX with a version lower than 1.14.0 are vulnerable; no additional version qualifiers are provided beyond the cutoff of 1.14.0.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1 and an unavailable EPSS score, and it is not listed in CISA’s KEV catalog. Exploitation requires no authentication but relies on a crafted request that specifies a path relative to the web root. The attack scope is limited to files accessible under the web server’s document root, yet the ability to read or execute sensitive files presents a significant risk.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Remediation

Vendor Solution

Update the WordPress Neuronet theme to the latest available version (at least 1.14.0).


OpenCVE Recommended Actions

  • Update the Neuronet theme to version 1.14.0 or later to apply the vendor’s fix.
  • If upgrading immediately is not possible, remove or disable the theme until an update is applied.
  • Restrict filesystem permissions and consider disabling PHP file editing in WordPress settings to limit the impact of a local file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex neuronet
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex neuronet
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Neuronet < 1.14.0 versions.
Title WordPress Neuronet theme < 1.14.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Neuronet
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T13:43:51.314Z

Reserved: 2025-09-06T04:44:54.906Z

Link: CVE-2025-58952

cve-icon Vulnrichment

Updated: 2026-06-17T13:43:35.840Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:25Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')