Description
Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated Local File Inclusion is present in versions of the WordPress Uppercase theme older than 1.2.2. The flaw allows an attacker to control the file path included by the theme, potentially reading sensitive files from the server. This can expose configuration data, credentials, or other confidential information stored on the host.

Affected Systems

Any WordPress site that has the Uppercase theme installed, specifically versions lower than 1.2.2, is vulnerable. The issue affects all authors or site operators using this theme in its outdated state.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating a high severity level. EPSS information is not available, so the exploitation likelihood cannot be quantified at this time. The bug is not listed in the CISA Known Exploited Vulnerabilities catalog. It is inferred that the attack likely proceeds by manipulating a parameter that the theme uses to include files, allowing an unauthenticated attacker to specify arbitrary file paths on the server.

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Remediation

Vendor Solution

Update the WordPress Uppercase Theme to the latest available version (at least 1.2.2).


OpenCVE Recommended Actions

  • Update the Uppercase theme to version 1.2.2 or newer
  • If an update is not possible, disable or delete the theme to eliminate the vulnerability
  • Configure the web server to restrict read access to site files and disable directory listing

Generated by OpenCVE AI on June 18, 2026 at 11:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Codesupplyco
Codesupplyco uppercase
Wordpress
Wordpress wordpress
Vendors & Products Codesupplyco
Codesupplyco uppercase
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions.
Title WordPress Uppercase theme < 1.2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Codesupplyco Uppercase
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:54:46.460Z

Reserved: 2026-04-07T10:48:26.893Z

Link: CVE-2026-39559

cve-icon Vulnrichment

Updated: 2026-06-17T14:54:31.802Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T22:57:46Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')