Description
Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion exists in WordPress Orpheus theme versions 1.3 and earlier, allowing an attacker to supply a file path that the theme code includes without proper. This flaw can expose sensitive files such as configuration credentials or, if an attacker can include executable code, lead to remote code execution. The vulnerability stems from missing input sanitization identified as CWE‑98.

Affected Systems

All installations of the WordPress Orpheus theme from ThemeREX running version 1.3 or earlier are affected. No other products or versions are listed; only the theme up to and including 1.3 is known to be vulnerable.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity. While EPSS data is unavailable, the lack of mitigation information and the critical impact of LFI suggest a substantial risk of exploitation. The flaw is not listed in the CISA KEV catalog, but the combination of unauthenticated access and the potential for remote code execution warrants immediate attention. An attacker would likely trigger the inclusion via crafted requests to vulnerable theme endpoints, exploiting the lack of user authentication and inadequate path validation.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Orpheus theme to the latest patched release (any version newer than 1.3) provided by ThemeREX.
  • If a theme upgrade cannot be performed promptly, remove or disable the Orpheus theme entirely from the WordPress installation to eliminate the vulnerable code path.
  • Configure a web application firewall or security plugin to block requests that attempt to include files from the theme directory, ensuring that file paths are not processed when unauthenticated.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions.
Title WordPress Orpheus theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:37:28.873Z

Reserved: 2025-12-29T11:19:59.292Z

Link: CVE-2025-69171

cve-icon Vulnrichment

Updated: 2026-06-17T12:37:25.059Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')