Description
Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Local File Inclusion vulnerability (CWE-98) exists in the Truemag theme for WordPress up to version 4.3.14.2. The flaw allows an attacker to instruct the theme to include arbitrary local files, potentially exposing sensitive information stored on the server or enabling execution of malicious code if the accessed file contains executable content. The impact is primarily a confidentiality breach, with the possibility of further escalation depending on the server configuration and available files.

Affected Systems

WordPress sites that employ the Truemag theme supplied by CactusThemes. Versions up to and including 4.3.14.2 are affected. Sites that have not applied the latest version or have retained these legacy versions remain vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attack vectors include manipulation of theme configuration or URLs that trigger the inclusion logic. Successful exploitation requires unauthenticated access to the site and the ability to influence the path used in the inclusion. The overall risk is moderate due to the high severity but low exploitation likelihood.

Generated by OpenCVE AI on June 18, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Truemag theme release (4.3.14.3 or newer) to eliminate the flaw.
  • If an update is not immediately possible, deactivate or remove the Truemag theme from the WordPress installation.
  • Configure web server or application settings to restrict file inclusion paths, such as denying execution of arbitrary files from theme directories via .htaccess or equivalent controls.

Generated by OpenCVE AI on June 18, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Cactusthemes
Cactusthemes truemag
Wordpress
Wordpress wordpress
Vendors & Products Cactusthemes
Cactusthemes truemag
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Truemag <= 4.3.14.2 versions.
Title WordPress Truemag theme <= 4.3.14.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Cactusthemes Truemag
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:44:51.416Z

Reserved: 2025-12-29T11:20:07.744Z

Link: CVE-2025-69178

cve-icon Vulnrichment

Updated: 2026-06-17T10:44:46.858Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')