Description
Unauthenticated Local File Inclusion in ITactics <= 1.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion in the ITactics WordPress theme versions 1.0 and earlier. An attacker can cause the web application to include files from the server file system, which may expose sensitive configuration files or allow the execution of arbitrary code if the attacker controls the included content. This flaw is identified by CWE-98.

Affected Systems

WordPress installations that use the ThemeREX ITactics theme with a version of 1.0 or earlier are affected. The issue applies to any site that has not upgraded the theme beyond the stated maximum vulnerable version.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity, but the EPSS score indicates that the probability of exploitation is currently very low (<1%) and the vulnerability is not listed in CISA's KEV catalog. Despite this low likelihood, the flaw is unauthenticated, so an attacker could trigger it from any network location; the likely attack vector is via user‑supplied URLs or form inputs that are not properly sanitized, as inferred from the description.

Generated by OpenCVE AI on June 17, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ITactics theme to version 1.1 or later, which removes the vulnerable code.
  • If a patch is not yet available or upgrade is not feasible, disable or uninstall the ITactics theme to prevent exploitation.
  • As an additional precaution, enforce stricter file system permissions or configure the web server to deny reads of sensitive files to mitigate potential exposure during the remediation window.

Generated by OpenCVE AI on June 17, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex itactics
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex itactics
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in ITactics <= 1.0 versions.
Title WordPress ITactics theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Itactics
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:45:21.280Z

Reserved: 2025-12-29T11:20:07.744Z

Link: CVE-2025-69176

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:16.254Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')