Description
Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic unauthenticated Local File Inclusion (LFI) in the WordPress Mr. SEO Theme supplied by Elated‑Themes. An attacker can supply a path parameter in a request that is not properly sanitized, allowing the theme to read arbitrary files or include PHP files on the server. If a PHP file is included, execution of code on the server’s behalf becomes possible, giving the attacker the same privileges as the web server process, potentially leading to full system compromise. Even if code execution is not achieved, the attacker can obtain sensitive configuration files, database credentials, or other confidential data, thereby compromising confidentiality and integrity of the site data.

Affected Systems

Versions of the WordPress Mr. SEO Theme up to and including 2.0 are affected. The theme is distributed by Elated‑Themes and is a popular component of WordPress installations. All sites running Mr. SEO 2.0 or older face this risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1 and an EPSS score of less than 1 %. It is not listed in the CISA KEV catalog, indicating that there are no publicly known active exploits yet. However, the lack of authentication control means that any user who can reach the vulnerable URL can trigger the inclusion. The attack requires no specialized skills beyond crafting a crafted request, and the resulting impact can range from data leakage to full remote code execution depending on the included file. In the absence of mitigation, the risk remains significant for unpatched sites.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Remediation

Vendor Solution

Update the WordPress Mr. SEO Theme to the latest available version (at least 2.1).


OpenCVE Recommended Actions

  • Apply the latest version of the WordPress Mr. SEO Theme (at least 2.1) from Elated‑Themes.
  • Configure your web server or .htaccess to block direct requests to the theme’s PHP files or to deny request paths that contain directory traversal characters, preventing the LFI trigger.
  • Implement a Web Application Firewall rule or use rate limiting to filter requests containing suspicious path traversal patterns, providing temporary protection until the theme is updated.

Generated by OpenCVE AI on June 17, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes mr Seo
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes mr Seo
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Mr. SEO <= 2.0 versions.
Title WordPress Mr. SEO theme <= 2.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Elated-themes Mr Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T10:40:09.776Z

Reserved: 2026-04-07T10:48:32.434Z

Link: CVE-2026-39568

cve-icon Vulnrichment

Updated: 2026-06-17T10:40:03.570Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:44:07Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')