Description
Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Malmö theme for WordPress contains an unauthenticated Local File Inclusion flaw, allowing an attacker to request arbitrary files on the web server’s file system through a vulnerable parameter. This weakness, categorized as CWE‑98, can result in unauthorized disclosure of sensitive configuration files or, if the included file is executable, could lead to remote code execution. The impact is significant as it can expose proprietary code, user data, or even compromise the entire site.

Affected Systems

The vulnerability affects installations of the Elated‑Themes Malmö WordPress theme, versions 2.2 and older. Any site running these versions without additional protective measures is at risk.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, and while the EPSS score is not available, the lack of a KEV listing does not diminish the threat. The flaw is reachable without authentication and can be exploited over the network by constructing a crafted URL pointing to the vulnerable inclusion point. Attackers would need to know the correct parameter name, but local file inclusion is a well‑known exploit vector in WordPress themes, so the likelihood of exploitation is considered moderate to high.

Generated by OpenCVE AI on June 18, 2026 at 12:19 UTC.

Remediation

Vendor Solution

Update the WordPress Malmö Theme to the latest available version (at least 2.3).


OpenCVE Recommended Actions

  • Upgrade the Malmö theme to version 2.3 or later, which removes the vulnerable inclusion point.
  • Ensure that theme directories have restrictive permissions and that PHP execution is disabled for unexpected files to mitigate accidental code execution.
  • Configure a web application firewall or use WordPress security plugins to block path traversal attempts targeting the theme’s file system.

Generated by OpenCVE AI on June 18, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes malmö
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes malmö
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Malmö <= 2.2 versions.
Title WordPress Malmö theme <= 2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Malmö
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:29:20.114Z

Reserved: 2026-04-07T10:48:26.893Z

Link: CVE-2026-39558

cve-icon Vulnrichment

Updated: 2026-06-17T14:29:09.147Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:02Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')