Description
Unauthenticated Local File Inclusion in Medeus <= 1.14 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion flaw present in all ThemeREX Medeus WordPress theme versions 1.14 and earlier. The defect allows a remote attacker to craft a request that bypasses the theme’s file handling logic, potentially loading arbitrary files from the server. This can expose confidential configuration data, user credentials, or other sensitive files. The weakness is classified as CWE‑98.

Affected Systems

All installations of the ThemeREX Medeus theme with version 1.14 or lower are potentially vulnerable. No additional sub‑version distinctions are documented, so any site running an affected edition of Medeus should treat itself as at risk.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, and the EPSS score of less than 1 % indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack path is a direct HTTP request to a file‑inclusion endpoint within the theme; no authentication is required, lowering the bar for exploitation, though the attacker must still craft an appropriate path to include the desired file.

Generated by OpenCVE AI on June 18, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Medeus theme to a version newer than 1.14, ensuring that the vendor’s latest release is installed.
  • Check the vendor’s latest security advisories and apply any available patches or hotfixes before upgrading.
  • Restrict file permissions for sensitive files such as wp-config.php and any other configuration files, ensuring they are not accessible via the web server.

Generated by OpenCVE AI on June 18, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex medeus
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex medeus
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Medeus <= 1.14 versions.
Title WordPress Medeus theme <= 1.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Medeus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:47:29.778Z

Reserved: 2025-12-29T11:19:48.753Z

Link: CVE-2025-69150

cve-icon Vulnrichment

Updated: 2026-06-17T10:47:24.140Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:28Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')