Description
Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated local file inclusion allows an attacker to specify arbitrary file paths for inclusion by the theme. The flaw, identified as CWE‑98, can lead to sensitive data disclosure and, if the attacker is able to supply executable PHP content, could elevate to remote code execution. The vulnerability is confined to the Deliciosa theme and enables reading of files without authentication, with a potential system‑wide impact if critical configuration or webroot files are accessed.

Affected Systems

The issue affects ThemeREX Deliciosa versions 1.10.0 and earlier. All installations running those releases are susceptible; newer releases are not impacted as they have removed the vulnerable code path.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity. EPSS indicates the probability of exploitation is below 1 %, suggesting that active, real‑world exploits are currently rare. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request that includes a crafted file path parameter or filename. Based on the description, it is inferred that the attacker can trigger the flaw by supplying malicious input through a publicly exposed endpoint or configuration setting.

Generated by OpenCVE AI on June 17, 2026 at 19:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Deliciosa theme to a version newer than 1.10.0 that fixes the inclusion flaw.
  • If an immediate upgrade is not available, block or filter the vulnerable parameter with a web‑application firewall or server rewrite rules to prevent arbitrary file path inclusion.
  • Disable or remove the Deliciosa theme from the active theme list and replace it with a vetted alternative to eliminate the local file inclusion risk.

Generated by OpenCVE AI on June 17, 2026 at 19:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex deliciosa
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex deliciosa
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Deliciosa <= 1.10.0 versions.
Title WordPress Deliciosa theme <= 1.10.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Deliciosa
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:50:53.186Z

Reserved: 2025-12-29T11:19:31.912Z

Link: CVE-2025-69121

cve-icon Vulnrichment

Updated: 2026-06-17T10:50:47.957Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:21Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')