Description
Unauthenticated Local File Inclusion in Joly <= 1.22.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Joly theme for WordPress versions 1.22.0 and earlier contains a Local File Inclusion flaw (CWE-98). It allows an unauthenticated attacker to influence the file path used by the theme to load local files, potentially exposing sensitive data such as configuration files or user credentials. While the description does not confirm remote code execution, arbitrary file disclosure can serve as a foothold for further attacks.

Affected Systems

WordPress sites that have installed the ThemeREX Joly theme at version 1.22.0 or earlier are at risk. The vulnerability does not affect newer releases, so sites running any Joly version later than 1.22.0 are safe from this specific LFI flaw.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and although the EPSS score is not available, the lack of requirement for authentication means that an attacker can target any publicly accessible Joly-powered site. The vulnerability is not listed in CISA’s KEV catalog. The LFI can be triggered via the theme's internal request handling, so the risk is significant for sites lacking additional web‑server file‑access controls.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Remediation

Vendor Solution

Update the WordPress Joly theme to the latest available version (at least 1.23.0).


OpenCVE Recommended Actions

  • Update the Joly theme to version 1.23.0 or later as recommended by the vendor.
  • If the theme cannot be updated immediately, temporarily deactivate or replace Joly with a non‑vulnerable alternative.
  • Configure web server or CMS file‑access restrictions to deny read access to sensitive files such as wp-config.php from the web path, mitigating the impact of any remaining LFI.

Generated by OpenCVE AI on June 18, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex joly
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex joly
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Joly <= 1.22.0 versions.
Title WordPress Joly theme <= 1.22.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Joly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:29:17.920Z

Reserved: 2025-09-06T04:45:02.777Z

Link: CVE-2025-58953

cve-icon Vulnrichment

Updated: 2026-06-17T15:29:11.729Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:24Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')