Description
Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an unauthenticated Local File Inclusion flaw that allows a malicious actor to include arbitrary files on the server through the WordPress ChapterOne theme. This weakness arises from improper file path handling, as identified by CWE-98. If exploited, the attacker could read sensitive files, execute arbitrary code, or pivot to other parts of the system, compromising confidentiality, integrity, and potentially availability.

Affected Systems

WordPress sites running the ChapterOne theme from Mikado-Themes up to and including version 1.7 are affected. No specific minor patch levels are listed; all releases of ChapterOne 1.7 or earlier are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. Since the EPSS score is not available and the vulnerability is not listed in CISA KEV, exploitation likelihood is not precisely quantified, but the unauthenticated nature and ease of triggering file inclusion suggest a significant potential for exploitation. The likely attack vector is through a crafted request that manipulates the theme’s file inclusion logic to read arbitrary files from the server.

Generated by OpenCVE AI on June 18, 2026 at 12:16 UTC.

Remediation

Vendor Solution

Update the WordPress ChapterOne Theme to the latest available version (at least 1.8).


OpenCVE Recommended Actions

  • Upgrade the WordPress ChapterOne Theme to version 1.8 or later, which removes the vulnerable file inclusion logic.
  • If the theme cannot be upgraded immediately, deactivate or remove the ChapterOne Theme to eliminate the attack surface.
  • Apply strict file permissions or .htaccess rules to the theme directory to prevent PHP execution and file inclusion from that directory.

Generated by OpenCVE AI on June 18, 2026 at 12:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes chapterone
Mikado-themes halstein
Vendors & Products Mikado-themes
Mikado-themes chapterone
Mikado-themes halstein

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in ChapterOne <= 1.7 versions.
Title WordPress ChapterOne theme <= 1.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Mikado-themes Chapterone Halstein
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:32:05.473Z

Reserved: 2026-04-15T09:19:28.916Z

Link: CVE-2026-40731

cve-icon Vulnrichment

Updated: 2026-06-17T14:32:00.237Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:01Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')