Description
Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Atomlab WordPress theme up to and including version 2.4.5 contains an unauthenticated Local File Inclusion flaw. The vulnerability allows an attacker who can reach the site’s web interface to supply crafted file paths that the theme then includes directly. Without any authentication guard, the attacker can read arbitrary files on the server, potentially exposing configuration data, credentials, or other confidential information. In the worst case, if the attacker controls a writable directory, the flaw could be escalated to remote code execution by including locally crafted scripts.

Affected Systems

ThemeMove’s Atomlab theme for WordPress. All installations running version 2.4.5 or earlier are affected. Any WordPress site that still uses the theme and has not elevated to version 2.4.6 or newer is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 signals high severity, while the EPSS score is currently unavailable, leaving the exploitation probability unknown. The vulnerability is not listed in CISA’s KEV catalog yet, but the lack of an authentication requirement means an attacker can trigger the flaw from any location that can access the affected site. The straightforward exploitation path—sending a crafted request that directs the theme to include an arbitrary local file—makes the risk significant for unpatched sites.

Generated by OpenCVE AI on June 18, 2026 at 11:46 UTC.

Remediation

Vendor Solution

Update the WordPress Atomlab Theme to the latest available version (at least 2.4.6).


OpenCVE Recommended Actions

  • Update the Atomlab Theme to version 2.4.6 or later.
  • Configure the web server or .htaccess to deny direct access to the theme’s internal directories and disable PHP execution in those locations.
  • Perform a comprehensive security scan of the theme and other installed plugins to detect similar local file inclusion or path traversal flaws.

Generated by OpenCVE AI on June 18, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove atomlab
Wordpress
Wordpress wordpress
Vendors & Products Thememove
Thememove atomlab
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Atomlab <= 2.4.5 versions.
Title WordPress Atomlab theme <= 2.4.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Thememove Atomlab
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T15:28:34.015Z

Reserved: 2026-04-07T10:48:44.714Z

Link: CVE-2026-39590

cve-icon Vulnrichment

Updated: 2026-06-17T14:11:07.496Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:41:22Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')