Description
Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The HomeRoofer WordPress theme contains an unauthenticated Local File Inclusion flaw that allows an attacker to read files from the web server’s file system. Because no authentication is required, a malicious actor can supply a crafted request that forces the theme to include a file path supplied by the attacker. The primary impact is potential disclosure of sensitive information, such as configuration files or content that could be leveraged for further attacks.

Affected Systems

The vulnerability exists in ThemeREX HomeRoofer WordPress theme versions up to and including 2.11.0. Any WordPress site that is running one of these legacy theme releases is at risk.

Risk and Exploitability

The CVSS score of 8.1 marks this flaw as High, reflecting the significant impact of read access to server files. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, indicating no publicly known exploits at the time of this analysis. However, the attack surface is internal to the site and requires only the ability to construct a URL that includes the vulnerable parameter, making exploitation relatively straightforward for anyone who can visit the affected site.

Generated by OpenCVE AI on June 18, 2026 at 14:13 UTC.

Remediation

Vendor Solution

Update the WordPress HomeRoofer theme to the latest available version (at least 2.12.0).


OpenCVE Recommended Actions

  • Upgrade the HomeRoofer theme to version 2.12.0 or later as advised by the vendor.
  • If an immediate upgrade is not possible, disable the theme or replace it with a secure alternative until the patch can be applied.
  • Implement file system permission restrictions or .htaccess rules to prevent arbitrary file inclusion by the PHP runtime.

Generated by OpenCVE AI on June 18, 2026 at 14:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex homeroofer
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex homeroofer
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in HomeRoofer <= 2.11.0 versions.
Title WordPress HomeRoofer theme <= 2.11.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Homeroofer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:43:47.921Z

Reserved: 2025-09-06T04:45:02.777Z

Link: CVE-2025-58954

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:22Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')