Description
Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion (LFI) exists in the Roneous theme with versions up to 2.1.5. The flaw permits an attacker to specify a file path and have the theme include that file in the output, potentially exposing sensitive content. The precise response is not detailed by the vendor, but the nature of the vulnerability implies that arbitrary local files could be read if the inclusion is not properly guarded.

Affected Systems

WordPress installations that have the Roneous theme (produced by THEMELOGI) installed at version 2.1.5 or earlier are affected. No additional products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 classifies this as high severity, yet the EPSS score is below 1%, indicating a low likelihood of being exploited in the wild. This vulnerability is not present in the CISA KEV catalog. The likely attack vector would involve an unauthenticated user creating a request that the theme processes, such as manipulating a query string or other input to trigger the file inclusion. Because the flaw is unauthenticated, an attacker does not need prior access to the site. The risk primarily concerns disclosure of local files, which might include configuration data or other sensitive information that could enable further attacks.

Generated by OpenCVE AI on June 17, 2026 at 19:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of the Roneous theme (v2.1.6 or newer).
  • Disable or remove the Roneous theme from the WordPress installation until the vulnerability is fixed.
  • Configure server or application settings to reject arbitrary file includes, such as disabling allow_url_include and enforcing strict file path validation.

Generated by OpenCVE AI on June 17, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Themelogi
Themelogi roneous
Wordpress
Wordpress wordpress
Vendors & Products Themelogi
Themelogi roneous
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Roneous <= 2.1.5 versions.
Title WordPress Roneous theme <= 2.1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themelogi Roneous
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:45:07.291Z

Reserved: 2025-12-29T11:20:07.744Z

Link: CVE-2025-69177

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:00.792Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')