Description
Unauthenticated Local File Inclusion in Choreo <= 1.6 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated local file inclusion flaw exists in the WordPress Choreo theme versions 1.6 and earlier, classified as CWE‑98. This weakness allows an attacker to influence the inclusion of arbitrary local files on the server, potentially exposing sensitive data or executing malicious code if a vulnerable file is included.

Affected Systems

The vulnerability affects the ThemeREX Choreo theme for WordPress, specifically all releases up to and including version 1.6.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the issue without authentication by manipulating a request that triggers the theme’s file inclusion logic, potentially leading to information disclosure or remote code execution if the chosen file contains executable code.

Generated by OpenCVE AI on June 17, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Choreo theme to version 1.7 or later, which removes the LFI flaw.
  • If an immediate update is not possible, deactivate or uninstall the Choreo theme to eliminate the entry point.
  • As a temporary measure, configure the web server or use a .htaccess rule to deny direct access to the theme’s PHP files, preventing inclusion via external requests.

Generated by OpenCVE AI on June 17, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex choreo
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex choreo
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Choreo <= 1.6 versions.
Title WordPress Choreo theme <= 1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Choreo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:46:04.334Z

Reserved: 2025-12-29T11:19:59.291Z

Link: CVE-2025-69165

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:59.811Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:22Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')