Description
Unauthenticated Local File Inclusion in Etude <= 1.6 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to trigger a local file inclusion in WordPress sites that use the Etude theme up to version 1.6. This flaw can lead to disclosure of sensitive files on the server, as the attacker exploits insufficient input validation on file path handling, coded as CWE‑98. The impact is primarily a confidentiality breach, exposing server‑side content that could contain credentials, configuration files, or other confidential data. The vulnerability exists without authentication and does not directly provide arbitrary code execution but can be a stepping‑stone to further attacks.

Affected Systems

WordPress sites that have installed the ThemeREX Etude theme version 1.6 or earlier are affected. The vulnerability is tied specifically to the Etude theme bundle released by ThemeREX. No other versions or themes are listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity. The EPSS score is not available, so the current exploitation probability cannot be quantified but the absence of a KEV listing suggests no widespread, actively exploited instances are yet known. The likely attack vector involves sending a crafted HTTP request that manipulates file path parameters used by the theme. The flaw does not require user credentials, making it exploitable by a global attacker who can target any publicly reachable instance running an affected version.

Generated by OpenCVE AI on June 18, 2026 at 13:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Etude theme to the latest release that removes the inclusion flaw, if available.
  • If an update is not possible, isolate the theme’s directory by applying web‑server level access restrictions or by renaming the directory so that it is no longer reachable via the web.
  • Disable file editing from the WordPress dashboard and enforce file‑system permissions that prevent PHP scripts from reading non‑public files.

Generated by OpenCVE AI on June 18, 2026 at 13:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex etude
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex etude
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Etude <= 1.6 versions.
Title WordPress Etude theme <= 1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Etude
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:45:52.831Z

Reserved: 2025-12-29T11:20:07.743Z

Link: CVE-2025-69174

cve-icon Vulnrichment

Updated: 2026-06-17T14:45:48.440Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:31Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')