Description
Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated local file inclusion vulnerability exists in the WordPress Right Way theme version 4.0 and earlier. This weakness allows an attacker to supply a crafted request that forces the theme to read and display files from the server’s file system. The impact is the unauthorized disclosure of sensitive server files such as configuration files, which could reveal database credentials and other secrets. Additionally, if the included files contain executable code or can be manipulated to trigger further weaknesses, the attacker might be able to execute arbitrary commands on the host. The weakness is categorized under CWE‑98.

Affected Systems

The affected product is the Themeum Right Way WordPress theme, versions 4.0 and lower. WordPress sites that have deployed these theme versions are at risk until the theme is upgraded to a newer release that removes the vulnerability.

Risk and Exploitability

The vulnerability carries a high CVSS score of 8.1, indicating that it is both serious and relatively easy to exploit. While no EPSS score is available, the lack of a KEV listing means no confirmed exploits have been reported as of the last update. The likely attack vector is a remote attacker sending a specially crafted URL or request to the site’s public interface that triggers the theme’s inclusion mechanism. Because the vulnerability is unauthenticated, any visitor with network access can potentially exploit it, making it a significant risk to confidentiality and integrity for affected sites.

Generated by OpenCVE AI on June 18, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Right Way theme to a version newer than 4.0 that contains the LFI fix.
  • If an upgrade is not immediately possible, disable or remove the vulnerable theme from the site and switch to a non‑vulnerable alternative.
  • Configure the web server or site’s .htaccess to deny direct access to sensitive files such as wp-config.php, and disable PHP file inclusion from external inputs when possible.

Generated by OpenCVE AI on June 18, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum right Way
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum right Way
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Right Way <= 4.0 versions.
Title WordPress Right Way theme <= 4.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themeum Right Way
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:31:54.333Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22330

cve-icon Vulnrichment

Updated: 2026-06-17T15:31:48.773Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:08Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')