Description
Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Modernee theme for WordPress versions 1.6.0 and earlier contains an unauthenticated Local File Inclusion vulnerability that allows an attacker to request arbitrary files on the server. This flaw originates from inadequate access checks when resolving file paths, a weakness identified as CWE-98. If the attacker can read privileged files, they may gain sensitive data or load PHP‑code for further exploitation, potentially achieving remote code execution. The vulnerability is purely functional and does not require administrative privileges, making it concerning for anyone hosting a WordPress site with an affected theme.

Affected Systems

Any WordPress installation running ThemeREX Modernee version 1.6.0 or earlier is vulnerable. The flaw resides in the theme’s file inclusion logic, so sites that have not upgraded beyond this version are at risk. No other vendors or products are mentioned.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity. The EPSS score of less than 1 percent indicates that, according to current data, exploitation attempts are unlikely but not impossible. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented large‑scale exploitation yet. Attackers would likely send a crafted HTTP request to the theme’s inclusion endpoint, which, due to the lack of access control, permits arbitrary file paths to be read. Successful exploitation would result in local file inclusion, which can lead to defacement or escalation of privileges if the attacker can inject executable code.

Generated by OpenCVE AI on June 17, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Modernee to the latest available version, which removes the vulnerable inclusion endpoint.
  • If an update is not immediately possible, rename or delete the PHP file that hosts the file‑inclusion logic so that no request can reach it.
  • Configure the web server to restrict read permissions on sensitive directories such that the web process cannot access configuration, system, or user files.

Generated by OpenCVE AI on June 17, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex modernee
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex modernee
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions.
Title WordPress Modernee theme <= 1.6.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Modernee
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:53:24.008Z

Reserved: 2025-12-29T11:19:26.264Z

Link: CVE-2025-69105

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:48Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')