Description
Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated local file inclusion flaw in the WordPress Hitek theme versions older than 1.8.3. Attackers can craft requests that cause the theme to include arbitrary files from the server, potentially leading to sensitive information disclosure or further exploitation if code files are included.

Affected Systems

The affected product is the WordPress Hitek theme developed by xtemos, specifically any installation using a version less than 1.8.3. This theme is commonly deployed on WordPress sites hosted on PHP servers.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. No EPSS score is available, so current exploitation probability is unknown, yet the flaw remains unpatched in many environments. Because the vulnerability requires no authentication and has no access controls, it can be triggered by any user who can manipulate the request parameters that feed the file inclusion logic. The lack of listing in CISA KEV does not mitigate the risk if the theme remains in use.

Generated by OpenCVE AI on June 18, 2026 at 12:18 UTC.

Remediation

Vendor Solution

Update the WordPress Hitek Theme to the latest available version (at least 1.8.3).


OpenCVE Recommended Actions

  • Upgrade the WordPress Hitek Theme to version 1.8.3 or later
  • If an upgrade is not immediately feasible, restrict the file paths that can be included by configuring server restrictions such as .htaccess rules or disabling the vulnerability‑prone functionality within the theme
  • Maintain regular vulnerability assessments of the WordPress installation and promptly apply security updates to core, plugins, and themes

Generated by OpenCVE AI on June 18, 2026 at 12:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Xtemos
Xtemos hitek
Vendors & Products Wordpress
Wordpress wordpress
Xtemos
Xtemos hitek

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Hitek < 1.8.3 versions.
Title WordPress Hitek theme < 1.8.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:27:43.975Z

Reserved: 2026-04-07T10:48:38.855Z

Link: CVE-2026-39582

cve-icon Vulnrichment

Updated: 2026-06-17T15:27:38.945Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-20T23:04:25Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')