Description
Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in AirSupply theme versions 2.0.0 and earlier permits an unauthenticated attacker to trigger a local file inclusion (LFI). By manipulating input parameters, malicious actors can read arbitrary files on the server or, if writable PHP files can be included, potentially execute code. This flaw stems from insufficient input sanitization during file path construction.

Affected Systems

The issue affects WordPress sites using the ThemeREX AirSupply theme, specifically all releases 2.0.0 and earlier. Site owners using these theme versions are susceptible to LFI and must assess which precise release they are running.

Risk and Exploitability

The CVSS score of 8.1 indicates serious risk. The EPSS score is not available, so the exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion via unsanitized input parameters, enabling read or potential execution of arbitrary files on the server (inferred from the description).

Generated by OpenCVE AI on June 18, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the AirSupply theme to the latest available version that addresses the LFI flaw.
  • If an immediate theme upgrade is not viable, restrict access to the directories that can be targeted by the LFI by enforcing stricter file permissions or configuring the web server (e.g., via .htaccess) to deny access to sensitive files such as configuration files and PHP code that should not be publicly readable.
  • Monitor web traffic for suspicious file-inclusion requests (e.g., URLs containing ../../ or common system file paths) and block anomalous requests.

Generated by OpenCVE AI on June 18, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex airsupply
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex airsupply
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions.
Title WordPress AirSupply theme <= 2.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Airsupply
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:43:09.486Z

Reserved: 2025-12-29T11:19:26.264Z

Link: CVE-2025-69110

cve-icon Vulnrichment

Updated: 2026-06-17T12:43:05.656Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:50Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')