Description
Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion (LFI) flaw in the Solene Core plugin for WordPress versions 2.3.2 and earlier. An attacker can supply a crafted input that causes the plugin to include arbitrary local files. The issue is classified as CWE‑98, which indicates a failure to properly validate and sanitize file paths. Since the flaw is unauthenticated, any user can attempt the exploit, potentially enabling the reading of sensitive files or the injection of malicious code if the included content is executable.

Affected Systems

Elated‑Themes Solene Core plugin, versions up to 2.3.2 are affected. The fix requires updating the plugin to at least version 2.3.4.

Risk and Exploitability

The CVSS score of 8.1 marks the vulnerability as high severity. Without an EPSS score, the current exploitation probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw permits arbitrary local file inclusion without authentication, an attacker with sufficient network access could potentially read privileged data or upload code that later leads to remote code execution. The most probable attack vector is crafted request parameters that bypass the plugin’s input validation.

Generated by OpenCVE AI on June 18, 2026 at 11:48 UTC.

Remediation

Vendor Solution

Update the WordPress Solene Core Plugin to the latest available version (at least 2.3.4).


OpenCVE Recommended Actions

  • Update the Solene Core plugin to version 2.3.4 or later.
  • Configure file permissions to restrict write access to plugin files to the WordPress administrator only.
  • Conduct a security scan of the site to detect any unauthorized file changes or injected code.

Generated by OpenCVE AI on June 18, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes solene Core
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes solene Core
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Solene Core <= 2.3.2 versions.
Title WordPress Solene Core plugin <= 2.3.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Solene Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:04:50.623Z

Reserved: 2026-04-07T10:48:09.605Z

Link: CVE-2026-39523

cve-icon Vulnrichment

Updated: 2026-06-17T14:04:46.520Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:29Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')