Description
Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Fortius theme up to version 2.3.0 contains a local file inclusion flaw that does not require authentication, allowing an attacker to read files that the web server can access. The vulnerability is a classic CWE‑98 flaw and provides the attacker the ability to obtain information from the server, potentially including sensitive configuration or other data. No specific files are mentioned in the CVE record; the impact is inferred to be the potential disclosure of whatever files the attacker can path‑traverse to and that are readable by the web process.

Affected Systems

WordPress sites that have installed ThemeREX Fortius theme version 2.3.0 or earlier are affected. The issue is confined to the theme’s code and does not affect the core WordPress files unless the theme is active.

Risk and Exploitability

The CVSS score of 8.1 labels this a high‑severity vulnerability, and the lack of an authentication requirement means the flaw can be exploited remotely via crafted URLs. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. If an attacker can reach the vulnerable theme’s inclusion code, exploitation is likely and can lead to information disclosure. Proper deployment of the latest theme version or removal of the theme mitigates the risk.

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Fortius theme to the latest released version (≥2.4.0) to apply the vendor fix.
  • If an upgrade is not possible, remove or deactivate the vulnerable theme to eliminate the inclusion path.
  • Optional: restrict access to sensitive server files by configuring the web server or .htaccess rules to deny read permissions from the theme’s inclusion directory.

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Fortius <= 2.3.0 versions.
Title WordPress Fortius theme <= 2.3.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:31:31.474Z

Reserved: 2025-12-29T11:19:37.128Z

Link: CVE-2025-69126

cve-icon Vulnrichment

Updated: 2026-06-17T14:31:12.974Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')