Description
Unauthenticated Local File Inclusion in Getaway < 1.8 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Local File Inclusion flaw exists in all WordPress Getaway theme versions earlier than 1.8. The weakness permits an attacker to read arbitrary files located on the server, such as configuration files or database credentials. The CVE description does not explicitly state that executing PHP source files leads to remote code execution; based on the nature of the vulnerability, it is inferred that if a PHP file were read and subsequently executed by the server, code execution could result, but this is not confirmed by the provided information.

Affected Systems

The vulnerability affects the WordPress Getaway theme developed by Select‑Themes. Any installation running the theme in a version below 1.8 is susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity, while its EPSS score of less than 1 % suggests a low likelihood of exploitation at present. It is not listed in CISA KEV. Attackers can exploit the vulnerability unauthenticated by manipulating URL parameters that the theme interprets as file paths; the likely attack vector involves sending a specially crafted request to the theme’s front‑end, resulting in the inclusion of local files.

Generated by OpenCVE AI on June 17, 2026 at 20:36 UTC.

Remediation

Vendor Solution

Update the WordPress Getaway Theme to the latest available version (at least 1.8).


OpenCVE Recommended Actions

  • Update the WordPress Getaway Theme to version 1.8 or newer.
  • If an immediate update is not possible, configure the server or theme to validate requested file paths, ensuring that only whitelisted directories are accessible and preventing directory traversal or arbitrary file inclusion.
  • After applying the patch, monitor access logs for suspicious file requests and scan the site for injected code to confirm the vulnerability has been fully mitigated.

Generated by OpenCVE AI on June 17, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes getaway
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes getaway
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Getaway < 1.8 versions.
Title WordPress Getaway theme < 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Select-themes Getaway
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:41:35.788Z

Reserved: 2026-04-07T10:48:21.621Z

Link: CVE-2026-39547

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:30.747Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')