Description
Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to include local files through the WordPress Iona theme versions 1.0.8 and earlier. The flaw can lead to leaking of configuration files, credentials, or other sensitive data and, in some scenarios, enable execution of arbitrary code on the server. The weakness aligns with CWE‑98, highlighting insufficient validation of file paths supplied by users.

Affected Systems

The impact is confined to websites that have installed the ThemeREX Iona theme, specifically any instance running a version equal to or older than 1.0.8. Site owners using newer releases are not affected.

Risk and Exploitability

Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request to the site’s public entry points that manipulates the inclusion parameter, enabling arbitrary file inclusion. The CVSS v3.1 score of 8.1 classifies the issue as High severity. EPSS indicates a probability of exploitation less than 1 %, and the vulnerability does not appear in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Nonetheless, because the flaw is unauthenticated, the attack surface is broad; an attacker can retrieve arbitrary files or execute code by triggering the inclusion mechanism. The remote exploitation path is relatively straightforward, requiring no credentials and minimal skill beyond manipulating the inclusion parameter. The lack of current exploitation evidence may stem from the low EPSS rather than a lack of severity. Overall, the risk is high for affected sites, but the likelihood of successful exploitation remains low at present.

Generated by OpenCVE AI on June 17, 2026 at 20:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Iona theme to a version newer than 1.0.8 as soon as possible.
  • If an upgrade is not feasible, remove or deactivate the Iona theme to eliminate the inclusion vector.
  • Restrict web access to all theme directories by configuring file permissions and .htaccess rules so that PHP files cannot be requested directly, thereby preventing the inclusion attack pathway.
  • Monitor access logs for attempts to include unintended files and audit any unauthorized file read activity.

Generated by OpenCVE AI on June 17, 2026 at 20:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex iona
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex iona
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions.
Title WordPress Iona theme <= 1.0.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Iona
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:51:37.283Z

Reserved: 2025-12-29T11:19:31.911Z

Link: CVE-2025-69116

cve-icon Vulnrichment

Updated: 2026-06-17T10:51:31.962Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:41Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')