Description
Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated Local File Inclusion flaw for the ThemeREX Snow Club WordPress theme in versions 1.1 and earlier. The theme accepts user input that is used directly in a file include request, allowing an attacker to read or execute arbitrary files on the web server. The fault can expose critical configuration settings, database credentials, and in the worst case facilitate remote code execution if a PHP file is included. The problem is identified as CWE‑98.

Affected Systems

WordPress sites that have the ThemeREX Snow Club theme installed at version 1.1 or earlier are affected. Any site that continues to run these vulnerable theme versions remains at risk.

Risk and Exploitability

The flaw has a CVSS score of 8.1, indicating high severity. The EPSS score is not available, so the precise likelihood of exploitation cannot be quantified. Because the vulnerability is unauthenticated and requires no special privileges, any visitor can potentially trigger it. The vulnerability is not currently listed in CISA’s KEV catalog, but its high impact and lack of authentication make it a priority to address.

Generated by OpenCVE AI on June 18, 2026 at 14:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or deactivate the Snow Club theme so it is no longer active on the site.
  • If the theme is required, upgrade to the latest available version that contains the fix.
  • Configure the web server or use a security plugin to restrict or block arbitrary file inclusion by the theme, such as setting tight file permissions or adding rules that prevent inclusion of paths outside the theme directory.

Generated by OpenCVE AI on June 18, 2026 at 14:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.
Title WordPress Snow Club theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:47:05.363Z

Reserved: 2025-12-29T11:19:31.912Z

Link: CVE-2025-69123

cve-icon Vulnrichment

Updated: 2026-06-17T14:47:00.494Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')