Description
Unauthenticated Local File Inclusion in Gat <= 1.16 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unrestricted Local File Inclusion allows an unauthenticated attacker to read or include arbitrary files on the server via the Gat theme. The flaw can expose sensitive configuration files, credentials, or lead to arbitrary code execution if included files are executable. The high CVSS score of 8.1 reflects the severity and the potential for broad impact across all users of a site.

Affected Systems

ThemeREX Gat theme versions up to 1.16 are vulnerable. Sites running these versions with the theme active are affected.

Risk and Exploitability

The vulnerability requires no authentication and can be triggered by a crafted request to the theme. Although no EPSS score is reported and the issue is not listed in the CISA KEV catalog, the lack of controls allows widespread exploitation. The CVSS score underscores its high impact and the ease with which an attacker could leverage it.

Generated by OpenCVE AI on June 18, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gat theme to version 1.17 or later, which contains the fix for the Local File Inclusion flaw.
  • If an immediate update is not possible, remove or disable the theme’s functionality that accepts file paths, effectively blocking the vulnerable parameter from being processed.
  • Deploy a web application firewall or use file path validation rules to reject requests containing directory traversal characters or paths that reference disallowed directories.

Generated by OpenCVE AI on June 18, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex gat
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex gat
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Gat <= 1.16 versions.
Title WordPress Gat theme <= 1.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:39.617Z

Reserved: 2025-12-29T11:19:48.752Z

Link: CVE-2025-69145

cve-icon Vulnrichment

Updated: 2026-06-17T15:31:33.562Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:20Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')