Description
Unauthenticated Local File Inclusion in Eros <= 1.3 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unauthenticated users to include arbitrary local files through the Eros theme’s exposed input handling. This Local File Inclusion flaw (CWE‑98) can expose sensitive data stored on the web server and, if combined with other weaknesses, may serve as a foothold for more extensive compromise.

Affected Systems

WordPress sites that use the ThemeREX Eros theme version 1.3 or earlier are affected. Any installation of Eros v1.3 or older must be considered vulnerable until the theme is upgraded.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. Based on the description, it is inferred that attackers can trigger the issue by sending a crafted request to a publicly reachable endpoint within the theme, making the flaw relatively easy to exercise for anyone with network access to the site. Although not listed in CISA’s KEV catalogue, the potential impact on confidentiality and integrity warrants prompt action.

Generated by OpenCVE AI on June 17, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eros theme to a version newer than 1.3 that removes the local file inclusion flaw.
  • If an upgrade is not possible, deactivate or delete the Eros theme to eliminate the vulnerable code paths.
  • Restrict file inclusion paths by enabling open_basedir or disabling allow_url_include, and set strict file permissions to limit unintended access.
  • Monitor web server logs for suspicious file inclusion attempts and routinely audit PHP configuration for default or insecure settings.

Generated by OpenCVE AI on June 17, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex eros
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex eros
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Eros <= 1.3 versions.
Title WordPress Eros theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Eros
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:45:50.943Z

Reserved: 2025-12-29T11:19:59.292Z

Link: CVE-2025-69167

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:44.283Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:21Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')