Description
Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Promo theme for WordPress, supplied by AxiomThemes, contains an unauthenticated local file inclusion flaw that allows an attacker to read arbitrary files on the server. The vulnerability arises from inadequate validation of file paths, permitting users to specify local file locations. An attacker exploiting this weakness could expose sensitive configuration files, credentials, or other data, thereby compromising confidentiality and potentially facilitating further attacks. The primary CWE associated with this flaw is CWE‑98, indicating a lack of proper file path sanitization.

Affected Systems

Any WordPress installation that has the Promo theme version 1.3.0 or earlier enabled is affected. Users of earlier releases should verify the theme version and consider upgrading if possible.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high‑severity vulnerability. Because the flaw is unauthenticated and operates via the web interface, the likely attack vector is remote. The EPSS score is not reported, but the absence of a KEV listing means no confirmed public exploits are currently catalogued. Nevertheless, the combination of high CVSS and remote exploitation potential warrants prompt remediation. Existing web application firewalls or access controls may mitigate exposure if the vulnerability cannot be patched immediately.

Generated by OpenCVE AI on June 18, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Promo theme to the latest version that resolves the file inclusion flaw (currently any release above 1.3.0).
  • If immediate upgrade is not possible, restrict web server access to the WordPress root directory, ensuring that file inclusion requests cannot resolve to sensitive system or configuration files by disallowing directory traversal or inaccessible paths.
  • Consider configuring your web application firewall to block requests containing path traversal characters such as '../' or other suspicious patterns that could trigger the inclusion of local files.

Generated by OpenCVE AI on June 18, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Promo <= 1.3.0 versions.
Title WordPress Promo theme <= 1.3.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:41:12.855Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22325

cve-icon Vulnrichment

Updated: 2026-06-17T12:41:08.149Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')