Description
Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unauthenticated Local File Inclusion in the Wanium WordPress theme up to version 1.9.8. Attackers can supply crafted parameters to the theme so that it reads and returns arbitrary files from the server file system. The disclosure of configuration files, credentials, or other sensitive data can occur, and if an executable file such as PHP is included, remote code execution may be possible. The weakness is classified as CWE‑98, Improper Control of File Name or Path for Inclusion or Execution.

Affected Systems

The affected product is the WordPress theme Wanium provided by Themelogi, with vulnerable versions up to and including 1.9.8. All sites using these theme versions, irrespective of the underlying WordPress installation, are impacted because the flaw resides in the theme code.

Risk and Exploitability

The CVSS v3.1 score is 8.1, indicating high severity, while the EPSS score is less than 1 %, signalling a low probability of exploitation in current datasets. The vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is 'LOCAL', inferred from the fact that the flaw allows an unauthenticated HTTP request without additional privileges. An adversary can craft a request with a malicious path to include any file available to the web process, potentially exposing secrets or executing code. Because the exploit is simple and requires no special environment, the potential impact remains significant.

Generated by OpenCVE AI on June 17, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wanium theme to version 1.9.9 or later, which removes the vulnerable code path.
  • If an immediate upgrade is not possible, disable the theme’s file inclusion functionality by removing or neutralizing the affected include call and ensure the theme no longer processes the vulnerable parameter.
  • Apply WordPress or server‑level file‑system restrictions such as .htaccess rules to block direct access to sensitive directories, thereby reducing the attack surface while the theme remains in use.

Generated by OpenCVE AI on June 17, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themelogi
Themelogi wanium
Wordpress
Wordpress wordpress
Vendors & Products Themelogi
Themelogi wanium
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Wanium <= 1.9.8 versions.
Title WordPress Wanium theme <= 1.9.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themelogi Wanium
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:49:39.124Z

Reserved: 2025-12-29T11:19:41.703Z

Link: CVE-2025-69136

cve-icon Vulnrichment

Updated: 2026-06-17T10:49:33.506Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')