Description
Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated Local File Inclusion flaw exists in WordPress Aperitif Theme versions up to 1.5. The vulnerability allows an attacker to specify a file path parameter that is not properly validated, enabling read access to files outside the intended directory. If exploited, an attacker could obtain sensitive configuration files, credentials, or other files that reveal sensitive information or, in combined circumstances, potentially lead to remote code execution. The weakness is classified as CWE‑98, which describes improper validation or sanitization of a file name or path.

Affected Systems

The problem is limited to installations of the WordPress Aperitif Theme provided by Elated‑Themes, specifically versions 1.5 or earlier. Systems running WordPress with this theme and not yet updated to a later release are at risk.

Risk and Exploitability

The assessed CVSS score of 8.1 places this vulnerability in the High severity range, indicating a substantial threat if exploited. The EPSS score is reported as less than 1%, reflecting a very low but non‑zero probability of active exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, which may limit visibility to security teams. Given the unauthenticated nature of the flaw, any user who can trigger the vulnerable request path can potentially read arbitrary files, making the threat vector remote via the web interface.

Generated by OpenCVE AI on June 17, 2026 at 18:17 UTC.

Remediation

Vendor Solution

Update the WordPress Aperitif Theme to the latest available version (at least 1.6).


OpenCVE Recommended Actions

  • Update the Aperitif Theme to version 1.6 or later, as provided by Elated‑Themes
  • After updating, review and limit file permissions in the WordPress root to prevent unrestricted read access to configuration files
  • Deploy a web application firewall rule or modify server configuration (.htaccess or server blocks) to block or sanitize file path parameters that can reach the theme’s vulnerable handler

Generated by OpenCVE AI on June 17, 2026 at 18:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes aperitif
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes aperitif
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Aperitif <= 1.5 versions.
Title WordPress Aperitif theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Aperitif
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:41:08.160Z

Reserved: 2026-04-07T10:48:21.621Z

Link: CVE-2026-39549

cve-icon Vulnrichment

Updated: 2026-06-17T10:41:03.474Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T18:30:04Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')