Description
Unauthenticated Local File Inclusion in Mission <= 1.22 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Mission theme (versions 1.22 and earlier) contains an unauthenticated Local File Inclusion flaw that allows an attacker to read the contents of arbitrary files on the server. By supplying a crafted input, malicious parties can retrieve sensitive configuration files or potentially include malicious files to gain further control of the system.

Affected Systems

Vendors: ThemeREX. Product: Mission theme. Affected versions: 1.22 and earlier of the WordPress Mission theme.

Risk and Exploitability

The CVSS score of 8.1 reflects significant impact, while the EPSS score of <1% suggests that exploitation is uncommon but still possible. The vulnerability is not listed in the CISA KEV catalog. Since the flaw is unauthenticated, an attacker can leverage it from any visitor to the site by crafting a request that manipulates the include path to read local files.

Generated by OpenCVE AI on June 17, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mission theme to the latest available version.
  • If an upgrade is not immediately feasible, disable or delete the Mission theme to prevent exploitation.
  • Configure the web server to enforce strict directory permissions so that the web process cannot read sensitive files and apply a WAF rule to block directory traversal patterns.

Generated by OpenCVE AI on June 17, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex mission
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex mission
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Mission <= 1.22 versions.
Title WordPress Mission theme <= 1.22 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Mission
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:48:25.428Z

Reserved: 2025-12-29T11:19:41.704Z

Link: CVE-2025-69143

cve-icon Vulnrichment

Updated: 2026-06-17T10:48:20.745Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:33Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')