Description
Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion flaw in the EcoBlue WordPress theme. It allows an attacker to manipulate a file include parameter to read files that should not be publicly accessible, and if the included file contains executable code, the attacker can run arbitrary code on the server. The weakness is documented as CWE‑98 and results in exposure of sensitive information and possible remote code execution, which can affect both the confidentiality and integrity of the site.

Affected Systems

The affected product is the EcoBlue theme provided by ThemeREX. Versions up to and including 1.15 are vulnerable. Any WordPress installation using one of these versions is at risk if the theme’s file inclusion logic is exposed through public URLs.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, and although no EPSS score is available, the lack of a KEV listing does not reduce the potential for exploitation. The likely attack vector is remote via the web interface, as the vulnerability is triggered by manipulating user-supplied input that is not properly validated. An attacker does not need privileged access or authentication to trigger the flaw, which increases the risk of successful exploitation.

Generated by OpenCVE AI on June 18, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EcoBlue theme to a version newer than 1.15 or to the latest release where the local file inclusion issue is fixed.
  • If upgrading is not immediately possible, remove orize any publicly exposed file include parameters within the theme’s code and configure the application to reject arbitrary file paths.
  • Apply restrictive file system permissions to the theme directory and its files so that only the web server can read them, thereby limiting an attacker’s ability to place malicious files for inclusion.

Generated by OpenCVE AI on June 18, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex ecoblue
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex ecoblue
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in EcoBlue <= 1.15 versions.
Title WordPress EcoBlue theme <= 1.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Themerex Ecoblue
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:32:43.327Z

Reserved: 2026-01-07T12:21:11.736Z

Link: CVE-2026-22338

cve-icon Vulnrichment

Updated: 2026-06-17T15:32:36.789Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:05Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')