Description
Unauthenticated Local File Inclusion in Grecko <= 5.17 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Grecko theme for WordPress versions up to and including 5.17 contains an unauthenticated Local File Inclusion flaw. The vulnerability allows an attacker to include arbitrary files on the server, which can lead to the execution of malicious code or disclosure of sensitive data, thereby compromising the confidentiality, integrity, and availability of the WordPress installation.

Affected Systems

WordPress sites running ThemeREX Grecko version 5.17 or earlier are affected. Users of later Grecko releases are not impacted. No other WordPress themes or plugins are listed as vulnerable.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity. The EPSS score is below 1%, suggesting low current exploitation probability. It is not listed in the CISA KEV catalog. Because the issue is unauthenticated and the attack vector is local file inclusion, an attacker can exploit it without needing privileged access to the site, but must have a way to trigger the vulnerable code path—likely through crafted URLs or reflected input. The potential impact ranges from information disclosure to remote code execution on the server depending on the included files.

Generated by OpenCVE AI on June 17, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Grecko theme to version 5.18 or later
  • If an update is not immediately possible, disable or remove the Grecko theme from the site
  • Restrict file inclusion by applying web application firewall rules to block attempts to include local files

Generated by OpenCVE AI on June 17, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex grecko
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex grecko
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Grecko <= 5.17 versions.
Title WordPress Grecko theme <= 5.17 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Grecko
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:46:31.679Z

Reserved: 2025-12-29T11:19:54.138Z

Link: CVE-2025-69162

cve-icon Vulnrichment

Updated: 2026-06-17T10:46:26.641Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:25Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')