Description
Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in WordPress Tipsy theme versions 1.1 and earlier allows an unauthenticated attacker to trigger a local file inclusion (LFI). By manipulating the theme’s internal file path handling, an attacker can read arbitrary files from the server, including sensitive configuration files or logs that may contain credentials or other private data. If the attacker is able to force the inclusion of a PHP file that contains malicious code, the LFI could be leveraged as a foothold for remote code execution, potentially leading to full compromise of the site.

Affected Systems

Any WordPress installation that has the ThemeREX Tipsy theme of version 1.1 or lower. The weakness is confined to this theme’s file handling logic and does not affect other WordPress core files or plugins unless they import the same vulnerable components.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity for this LFI. While an EPSS score is not available, the vulnerability is not listed in the CISA KEV catalog, suggesting that there are currently no known widespread exploits. Nevertheless, the attack vector is effectively anyone with access to the web interface, and the vulnerability can be exploited without authentication. The lack of detected exploits does not reduce the risk because the LFI is easy to trigger once the vulnerable theme is installed.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tipsy theme to the latest version that is not affected by this LFI (any version greater than 1.1).
  • If an upgrade is not immediately possible, deactivate or delete the Tipsy theme files from the WordPress installation to prevent the vulnerability from being exploitable.
  • Configure the WordPress environment and PHP settings to prevent inclusion of local files, such as setting allow_url_include to Off and ensuring that file permissions for sensitive directories are tightly restricted.

Generated by OpenCVE AI on June 18, 2026 at 12:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex tipsy
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex tipsy
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions.
Title WordPress Tipsy theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Tipsy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T13:38:24.811Z

Reserved: 2025-12-29T11:19:59.292Z

Link: CVE-2025-69173

cve-icon Vulnrichment

Updated: 2026-06-17T13:38:17.856Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:15Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')