Description
Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Food Drop theme versions 1.3 and earlier can be exploited through an unauthenticated Local File Inclusion flaw. An attacker could trick the theme into including a local file via a crafted URL or parameter, potentially exposing sensitive files such as configuration files or webroot content. If the attacker can force the inclusion of a PHP file, arbitrary code execution becomes possible.

Affected Systems

All installations of the ThemeREX Food Drop theme using version 1.3 or earlier are affected. Any WordPress site that has deployed these legacy theme releases is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1 and an EPSS score below 1%, indicating a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. Likely attack vector is an unauthenticated request to the site that manipulates the file path the theme uses for inclusion. Because the flaw allows inclusion of arbitrary files on the server, an attacker could obtain sensitive information or, if PHP files are included, gain remote code execution. The absence of authentication or file path validation enables this attack without special prerequisites.

Generated by OpenCVE AI on June 17, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Food Drop theme to the latest released version (1.4 or newer).
  • If an upgrade is not yet feasible, restrict file execution via web server configuration or .htaccess rules in the theme directories to prevent PHP files from being served or executed.
  • Monitor web server logs for abnormal file inclusion attempts or suspicious request patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 17, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex food Drop
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex food Drop
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Food Drop <= 1.3 versions.
Title WordPress Food Drop theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Food Drop
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:50:09.339Z

Reserved: 2025-12-29T11:19:37.128Z

Link: CVE-2025-69125

cve-icon Vulnrichment

Updated: 2026-06-17T10:50:03.672Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:19Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')