Description
Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion in the WordPress Eventicity theme version 1.5 or earlier allows an attacker to read arbitrary files on the server. This vulnerability is categorized as CWE‑98 and can lead to disclosure of sensitive configuration files, credentials, or other private data. The lack of authentication or input validation means that any visitor can supply a crafted path to include unintended files, potentially exposing confidential information.

Affected Systems

The vulnerability affects the Eventicity theme developed by ThemeREX for WordPress. All installations running version 1.5 or earlier are impacted. Users of this theme who have not updated to a newer release are at risk, while version 1.6 and above are considered safe once patched. The specific product name is WordPress Eventicity theme by ThemeREX.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, reflecting the threat of accessing data without authentication. Although an EPSS score is not available, the vulnerability is not present in CISA’s KEV list, suggesting no publicly known exploits yet; however the high CVSS and unauthenticated nature mean that attackers could trivially exploit the flaw via crafted requests. The attack vector is inferred to be remote over HTTP, requiring only that the target be reachable and that the theme’s file‑include mechanism is accessible. The absence of mitigations such as input sanitization or access controls makes exploitation straightforward.

Generated by OpenCVE AI on June 18, 2026 at 11:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Eventicity theme to the latest version that contains the fix (version 1.6 or later).
  • Immediately disable the theme or remove it from production sites if an update cannot be applied urgently.
  • If an update is not yet available, configure a web application firewall to block or sanitize file path parameters used by the theme to prevent malicious file inclusion.

Generated by OpenCVE AI on June 18, 2026 at 11:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex eventicity
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex eventicity
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Eventicity <= 1.5 versions.
Title WordPress Eventicity theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Eventicity
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:05:56.046Z

Reserved: 2025-12-29T11:19:59.292Z

Link: CVE-2025-69170

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:52Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')