Description
Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Local File Inclusion flaw exists in the Top Dog theme for WordPress versions 1.0.5 and earlier. The flaw allows an attacker to craft an URL or request that causes the theme to load arbitrary files from the server’s filesystem. This can lead to disclosure of sensitive files, configuration information, and potentially remote code execution if the server runs the included file as PHP. The weakness corresponds to CWE‑98 and can be exploited without authentication.

Affected Systems

WordPress installations that use the ThemeREX Top Dog theme version 1.0.5 or older are affected. All other versions of the theme are not impacted.

Risk and Exploitability

The vulnerability has a high CVSS score of 8.1 and an EPSS score of less than 1 %, indicating a low current probability of exploitation. It is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated request that includes a malicious file path, inferred from the description of the LFI flaw. No additional prerequisites are mentioned in the data.

Generated by OpenCVE AI on June 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Top Dog theme to the latest available version where the local file inclusion is fixed.
  • If an immediate upgrade cannot be performed, modify the theme’s file inclusion logic to enforce strict validation of file paths, including whitelisting allowed directories and preventing directory traversal.
  • After applying a fix, test the website by attempting to access typically sensitive files such as wp‑config.php and verify that the vulnerable file inclusion cannot be triggered.

Generated by OpenCVE AI on June 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex top Dog
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex top Dog
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Top Dog <= 1.0.5 versions.
Title WordPress Top Dog theme <= 1.0.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Top Dog
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:47:43.833Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69149

cve-icon Vulnrichment

Updated: 2026-06-17T10:47:38.733Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:07Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')