Description
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Published: 2026-06-26
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Contributor Local File Inclusion was discovered in versions up to 4.4.3 of the Splash theme, a weakness classified as CWE‑98. This flaw allows an attacker to request arbitrary local file paths, leading to the disclosure of sensitive files such as WordPress configuration, database credentials, or other confidential data. The vulnerability is not confined to information leakage; an attacker could potentially include files containing vulnerable code, creating a pathway to further exploitations such as remote code execution if additional weaknesses exist.

Affected Systems

The Splash – Sport Club WordPress Theme for Basketball, Football, Hockey, developed by StylemixThemes, is affected in all releases up to version 4.4.3 inclusive. Versions 4.4.4 and later contain the remediation for this issue.

Risk and Exploitability

The CVSS score of 7.5 marks this flaw as high severity, and the absence of an EPSS score does not provide a quantitative likelihood, though LFI is a common attack vector with significant real-world exploitation. The theme is not listed in the CISA KEV catalog, but the potential to read arbitrary files raises a tangible threat profile, especially if the WordPress installation is exposed to the public internet.

Generated by OpenCVE AI on June 26, 2026 at 16:22 UTC.

Remediation

Vendor Solution

Update the WordPress Splash - Sport Club WordPress Theme for Basketball, Football, Hockey Theme to the latest available version (at least 4.4.4).

OpenCVE Recommended Actions

  • Update the Splash theme to version 4.4.4 or later to apply the vendor’s fix.
  • If an update is not immediately possible, disable or remove the old Splash theme from the site to prevent exploitation.
  • Ensure the WordPress core and all other plugins are kept at their latest secure versions to reduce overall attack surface.

Generated by OpenCVE AI on June 26, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
Title WordPress Splash - Sport Club WordPress theme for Basketball, Football, Hockey theme <= 4.4.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T17:44:10.073Z

Reserved: 2025-12-15T10:01:19.544Z

Link: CVE-2025-68063

cve-icon Vulnrichment

Updated: 2026-06-26T17:34:07.925Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T16:30:03Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')