Description
Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion in WordPress AutoParts theme versions up to 1.5.8 allows attackers to arbitrary files from the server. The flaw arises from unsanitized input that is used in a file inclusion context, leading to potential disclosure of sensitive data such as configuration files or user credentials. This weakness is identified as CWE‑98 and could let an attacker gain additional insight into the site’s configuration or environment.

Affected Systems

ThemeREX:AutoParts theme in WordPress installations running version 1.5.8 or earlier.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity vulnerability, and the lack of an EPSS score means the exploitation probability is not currently quantified. The vulnerability is not listed in CISA KEV, but it can be triggered by any unauthenticated user as LFI is local and does not require privileged access. The attack vector is inferred to be a direct parameter manipulation in the URL that is not properly validated.

Generated by OpenCVE AI on June 18, 2026 at 12:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AutoParts theme to a patched version that removes the local file inclusion flaw.
  • Implement strict input validation for any theme parameters that determine file paths, allowing only approved file names or directories.
  • Deploy a Web Application Firewall rule that blocks requests containing common LFI indicators such as '/../', '|', or attempts to include configuration files.

Generated by OpenCVE AI on June 18, 2026 at 12:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in AutoParts <= 1.5.8 versions.
Title WordPress AutoParts theme <= 1.5.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T12:40:34.305Z

Reserved: 2026-01-07T12:21:02.765Z

Link: CVE-2026-22331

cve-icon Vulnrichment

Updated: 2026-06-17T12:40:27.320Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:30:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')