Description
Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability permits an unauthenticated attacker to include local files via the Kelly Young WordPress theme. The flaw lies in an unchecked file inclusion mechanism, allowing the reading of any file on the server that the web process can access. If a PHP file is read and executed, this could enable code execution, though the CVE description does not confirm such exploitation. The basic impact is a breach of confidentiality for any accessible file, including configuration files or application code.

Affected Systems

WordPress sites that employ the ThemeREX Kelly Young theme version 1.1.0 or earlier are affected, as these versions expose an insecure file inclusion endpoint.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity assessment. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to construct an HTTP request targeting the vulnerable inclusion path, a method inferred from typical WordPress theme behavior. While exploitation is technically possible, the low EPSS suggests that immediate risk may be limited, although the potential impact of file disclosure remains significant.

Generated by OpenCVE AI on June 17, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kelly Young theme to a version newer than 1.1.0, which removes the insecure inclusion logic.
  • If an upgrade cannot be performed promptly, deactivate or uninstall the theme to eliminate the attack vector.
  • Restrict the web server’s file system permissions so it cannot read sensitive files, and consider blocking the theme’s inclusion endpoint via web server configuration.

Generated by OpenCVE AI on June 17, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex kelly Young
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex kelly Young
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Kelly Young <= 1.1.0 versions.
Title WordPress Kelly Young theme <= 1.1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Kelly Young
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:48:52.475Z

Reserved: 2025-12-29T11:19:41.704Z

Link: CVE-2025-69141

cve-icon Vulnrichment

Updated: 2026-06-17T10:48:47.925Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:09Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')