Impact
The Modernee theme for WordPress versions 1.6.0 and earlier contains an unauthenticated Local File Inclusion vulnerability that allows an attacker to request arbitrary files on the server. This flaw originates from inadequate access checks when resolving file paths, a weakness identified as CWE-98. If the attacker can read privileged files, they may gain sensitive data or load PHP‑code for further exploitation, potentially achieving remote code execution. The vulnerability is purely functional and does not require administrative privileges, making it concerning for anyone hosting a WordPress site with an affected theme.
Affected Systems
Any WordPress installation running ThemeREX Modernee version 1.6.0 or earlier is vulnerable. The flaw resides in the theme’s file inclusion logic, so sites that have not upgraded beyond this version are at risk. No other vendors or products are mentioned.
Risk and Exploitability
The CVSS score of 8.1 classifies this issue as high severity. The EPSS score of less than 1 percent indicates that, according to current data, exploitation attempts are unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented large‑scale exploitation yet. Attackers would likely send a crafted HTTP request to the theme’s inclusion endpoint, which, due to the lack of access control, permits arbitrary file paths to be read. Successful exploitation would result in local file inclusion, which can lead to defacement or escalation of privileges if the attacker can inject executable code.
OpenCVE Enrichment