Description
Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated local file inclusion flaw exists in ThemeREX Gamic versions 1.15 and earlier. The vulnerability occurs when the theme’s core PHP code constructs file paths directly from user‑supplied parameters, allowing a crafted request to include any file stored on the web server. The flaw is aligned with CWE‑98 and, because it does not require authentication, an attacker can read sensitive files that are readable by the web server process.

Affected Systems

Any WordPress site that has installed the ThemeREX Gamic theme version 1.15 or an older release is vulnerable. The issue is isolated to the theme itself and does not depend on other plugins or themes. Site administrators should verify the installed theme version in their WordPress dashboard to determine exposure.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity. No EPSS score is available, but the flaw is triggered by normal web requests and needs no authentication, so the likelihood of exploitation is considered high. The vulnerability is not listed in CISA KEV. Attackers can likely manipulate query string parameters or form fields processed by the theme, causing arbitrary local file read or inclusion.

Generated by OpenCVE AI on June 18, 2026 at 14:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeREX Gamic theme to version 1.16 or later, which contains the official fix for the local file inclusion issue.
  • If a patch is not immediately possible, disable or remove the Gamic theme to eliminate the vulnerable code path.
  • Configure PHP’s open_basedir to restrict the directories that can be accessed by file‑include functions, and ensure allow_url_include is disabled.

Generated by OpenCVE AI on June 18, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex gamic
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex gamic
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Gamic <= 1.15 versions.
Title WordPress Gamic theme <= 1.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Gamic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:29:41.070Z

Reserved: 2025-12-29T11:19:54.137Z

Link: CVE-2025-69157

cve-icon Vulnrichment

Updated: 2026-06-17T14:29:24.617Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:38Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')