Description
Unauthenticated Local File Inclusion in Quirky <= 1.23 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion (CWE‑98) exists in ThemeREX Quirky theme version 1.23 and earlier. The flaw allows an attacker to supply arbitrary file paths that the theme will include, potentially exposing the contents of sensitive files or executing injected code. Successful exploitation can compromise confidentiality through data disclosure and may lead to integrity or remote‑code‑execution threats if the included file contains executable payloads. The vulnerability is triggered without authentication, meaning any web visitor or attacker can try to exploit it.

Affected Systems

The affected system is the WordPress Quirky theme from ThemeREX, applicable to all releases of version 1.23 and older. Admins using these versions should verify the theme version in the WordPress dashboard.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS data is not provided, so the dynamic exploitation probability cannot be quantified, but the lack of authentication requirement raises the likelihood of automated attacks. The vulnerability is not listed in CISA’s KEV catalogue; however, its high impact and ease of exploitation warrant immediate remediation. Attackers may execute the LFI by sending crafted requests that traverse directories and include system files or arbitrary PHP scripts, gaining privileged access to the web server environment.

Generated by OpenCVE AI on June 18, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Quirky theme to version 1.24 or later, which fixes the inclusion handler.
  • If an update is not immediately possible, disable or remove the page/component that triggers the file‑inclusion logic, ensuring the vulnerable code path cannot be reached.
  • As a temporary workaround, enforce input validation or blacklist directory traversal characters for the parameters used by the theme, and restrict access using .htaccess rules or a WAF to block malicious requests.

Generated by OpenCVE AI on June 18, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex quirky
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex quirky
Wordpress
Wordpress wordpress

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Quirky <= 1.23 versions.
Title WordPress Quirky theme <= 1.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Quirky
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:42:13.912Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69148

cve-icon Vulnrichment

Updated: 2026-06-17T12:41:41.752Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:18Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')