Description
Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Preservation theme is vulnerable to an unauthenticated local file inclusion flaw. An attacker can supply crafted input to cause the server to read arbitrary files from the filesystem. This weakness directly maps to CWE‑98 and, if the included files contain code or configuration data, could lead to disclosure of credentials or the ability to execute code on the host. Because the exploit does not require authentication, any web visitor can trigger it, exposing the site to a broad threat surface.

Affected Systems

WordPress users running the ThemeREX Preservation theme version 1.10 or are affected. The vulnerability affects all installations of these versions with no further version granularity specified.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity level. EPSS is not available, so the precise exploitation probability remains unknown, but the lack of a KEV listing suggests no widespread exploitation has been reported yet. Nevertheless, the unauthenticated nature of the LFI allows any visitor to trigger the issue, making it highly exploitable once discovered. Attackers could read local files such as wp‑config.php, leading to credential leaks, or include code that requests remote resources, possibly executing arbitrary PHP.

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX Preservation theme to a non‑vulnerable version (current release 1.11 or newer).
  • Restrict file access on the server: set correct file permissions for sensitive files such as wp-config.php and add .htaccess rules to block direct access.
  • Deploy a web application firewall or security plugin that detects and blocks Local File Inclusion attempts (e.g., monitor for patterns like '/../' in query parameters).

Generated by OpenCVE AI on June 18, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex preservation
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex preservation
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Preservation <= 1.10 versions.
Title WordPress Preservation theme <= 1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Preservation
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:46:35.630Z

Reserved: 2025-12-29T11:19:48.752Z

Link: CVE-2025-69144

cve-icon Vulnrichment

Updated: 2026-06-17T14:46:31.593Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:55Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')