Description
Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion exists in the MaxiNet WordPress theme versions up to 1.2.10. The flaw allows an attacker to supply a file path argument that is not properly validated, leading to the inclusion of arbitrary files on the server. This can expose sensitive configuration files, user data, or enable remote code execution if the included file contains executable code.

Affected Systems

The vulnerability affects the ThemeREX MaxiNet theme for WordPress, specifically any installation using version 1.2.10 or earlier.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests that exploitation is currently unlikely but not impossible. The flaw does not appear in the CISA KEV catalog, so no known public exploits exist. Based on the description, it is inferred that an attacker could trigger the inclusion by crafting a request that supplies a malicious file path in a publicly reachable parameter, as the vulnerability is unauthenticated. The attacker could then read sensitive files or potentially execute code if the included file contains executable content.

Generated by OpenCVE AI on June 17, 2026 at 22:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MaxiNet theme to a version newer than 1.2.10 to remove the vulnerable code.
  • Apply input validation per CWE-98: adjust the theme’s inclusion logic to sanitize file path inputs and permit only whitelisted files.
  • Restrict file permissions on the WordPress installation so that only necessary files can be accessed via the web server, reducing the impact of any remaining inclusion paths.

Generated by OpenCVE AI on June 17, 2026 at 22:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex maxinet
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex maxinet
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions.
Title WordPress MaxiNet theme <= 1.2.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Maxinet
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:51:51.364Z

Reserved: 2025-12-29T11:19:31.911Z

Link: CVE-2025-69114

cve-icon Vulnrichment

Updated: 2026-06-17T10:51:46.344Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:43Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')