Description
Unauthenticated Local File Inclusion in Snowy <= 1.13 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion flaw present in the Snowy theme for WordPress versions 1.13 and earlier. An attacker can cause the theme to include files from the server’s file system, potentially exposing sensitive information such as configuration files, database credentials, or arbitrary code. Because the flaw is classified as CWE‑98, it results from the theme failing to validate or sanitize input used to reference local files.

Affected Systems

Any WordPress installation that has the ThemeREX Snowy theme version 1.13 or earlier is affected. The issue is specific to that theme and does not extend to other WordPress themes or core. Administrators should identify all sites running Snowy <=1.13 to determine exposure.

Risk and Exploitability

The CVSS score of 8.1 signals a high‑severity vulnerability, and the absence of an EPSS figure means the current exploitation probability is not quantified. The flaw does not require authentication, so the likely attack vector is a crafted request that points the Snowy theme’s file handling code to an arbitrary local file. Although the vulnerability is not listed in CISA’s KEV catalog, the potential for reading arbitrary files makes the risk significant if the theme remains installed at a vulnerable version.

Generated by OpenCVE AI on June 18, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Snowy theme to a release newer than 1.13, as provided by the vendor, to eliminate the flaw.
  • If an upgrade cannot be performed immediately, deactivate or delete the Snowy theme to deny the vulnerable code path.
  • Restrict the web server’s file system exposure by preventing web access to sensitive files such as /wp-config.php and /wp-includes.
  • Apply web application firewall rules that block requests targeting known vulnerable endpoint patterns used by the Snowy theme for file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex snowy
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex snowy
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Snowy <= 1.13 versions.
Title WordPress Snowy theme <= 1.13 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Snowy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:32:17.326Z

Reserved: 2025-12-29T11:19:54.138Z

Link: CVE-2025-69161

cve-icon Vulnrichment

Updated: 2026-06-17T13:36:45.273Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:45Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')