Description
Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated local file inclusion flaw present in all Dazzle theme releases up to version 1.0.0. Attackers can supply arbitrary file paths to theme scripts, potentially allowing them to read any file accessible to the web server. This represents a confidentiality breach that could expose configuration data, credentials, or other sensitive information. The weakness is identified as CWE‑98, which reflects an insufficient control over local file access during input handling.

Affected Systems

The WordPress Dazzle theme developed by ThemeREX is impacted. All versions of the theme up to and including 1.0.0 are vulnerable. Administrators should verify whether the theme is currently installed and, if so, what version is active.

Risk and Exploitability

The CVSS score of 8.1 places this vulnerability in the high‑severity category. EPSS data is not available, so a precise assessment of current exploitation likelihood cannot be made, but the flaw is unauthenticated and may be readily exploited by sending crafted requests to the affected theme’s endpoints. The vulnerability is not listed in the CISA KEV catalog at this time. Attackers could target any site using the affected theme without requiring credentials, making mitigation through patching or removal the most effective countermeasure.

Generated by OpenCVE AI on June 18, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Dazzle theme to a fixed version (e.g., 1.0.1 or later) to eliminate the local file inclusion flaw.
  • If an updated version is not immediately available, remove or disable the Dazzle theme from the site to eliminate the vulnerability surface.
  • In the interim, configure a web application firewall or security plugin to block requests that include directory traversal patterns or other suspicious file path inputs used by the theme’s scripts.

Generated by OpenCVE AI on June 18, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.
Title WordPress Dazzle theme <= 1.0.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:08:24.497Z

Reserved: 2025-12-29T11:19:31.911Z

Link: CVE-2025-69120

cve-icon Vulnrichment

Updated: 2026-06-17T14:08:21.749Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')