Description
Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to request the Raider Spirit theme to include arbitrary local files on the server. By manipulating the theme’s file inclusion mechanism, the attacker can read sensitive configuration files, Secrets, or the contents of the file system. If the included file contains executable code—for example, a PHP file crafted by the attacker—the vulnerability could increase to remote code execution. The fault stems from a classic local file inclusion weakness and is formally identified as CWE‑98.

Affected Systems

The affected product is the ThemeREX Raider Spirit WordPress theme. All releases up to and including version 1.1.2 are vulnerable. No other products are listed as impacted.

Risk and Exploitability

With a CVSS score of 8.1, the flaw is considered high severity. The EPSS value of less than 1 % suggests that active exploitation is currently rare. The vulnerability is not catalogued in the CISA KEV list. The attack vector is likely a simple HTTP request to a URL that invokes the LFI path, requiring no authentication. Exploitation would involve supplying a crafted file path via the theme’s parameters, which an attacker can do if the theme is configured to accept user input without proper validation.

Generated by OpenCVE AI on June 17, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Raider Spirit theme to version 1.1.3 or later to remove the insecure file inclusion logic.
  • If an upgrade is not immediately possible, disable or uninstall the vulnerable Raider Spirit theme and revert to a safer alternative.
  • Implement strict input validation or whitelisting for any theme configuration that accepts file paths to prevent inclusion of unintended files.

Generated by OpenCVE AI on June 17, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex raider Spirit
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex raider Spirit
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Raider Spirit <= 1.1.2 versions.
Title WordPress Raider Spirit theme <= 1.1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Raider Spirit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:52:37.421Z

Reserved: 2025-12-29T11:19:26.264Z

Link: CVE-2025-69109

cve-icon Vulnrichment

Updated: 2026-06-17T10:52:31.643Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:24Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')