Description
Unauthenticated Local File Inclusion in Solene <= 3.4 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Local File Inclusion flaw exists in the Solene WordPress theme versions up to 3.4. The vulnerability allows an attacker to read arbitrary files from the server; based on the nature of LFI, it is inferred that including a PHP file could allow code execution, though this is not explicitly confirmed in the description. This flaw can compromise confidentiality, integrity, and availability of the site and its underlying server. The weakness is a classic file inclusion defect (CWE-98).

Affected Systems

The issue affects installations of the Solene theme produced by Elated‑Themes for WordPress. Any site running Solene 3.4 or earlier is susceptible, regardless of the WordPress core version. The exact affected versions are all releases up to and including 3.4.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high severity flaw. The EPSS score of less than 1% indicates a very low likelihood of current exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Inference suggests the attack vector involves manipulation of URL parameters to pass a file path to the vulnerable inclusion point; no authentication is required. Though the exploitation probability is low, the high impact warrants prompt action.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Remediation

Vendor Solution

Update the WordPress Solene Theme to the latest available version (at least 3.4.1).


OpenCVE Recommended Actions

  • Upgrade the Solene theme to version 3.4.1 or later, the first officially supported fix.
  • Disable WordPress file editing by setting the define('DISALLOW_FILE_EDIT', true) directive in wp-config.php to prevent attackers from uploading or modifying files.
  • Configure the web server or .htaccess to restrict direct access to theme directories and disable execution of PHP in those locations, reducing the risk of arbitrary code execution from included files.

Generated by OpenCVE AI on June 17, 2026 at 20:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes solene
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes solene
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Solene <= 3.4 versions.
Title WordPress Solene theme <= 3.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Solene
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:42:16.808Z

Reserved: 2026-04-07T10:48:03.414Z

Link: CVE-2026-39522

cve-icon Vulnrichment

Updated: 2026-06-17T10:42:11.728Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')