Description
Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
Published: 2026-07-02
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to specify arbitrary file paths in a request to the Audrey theme, enabling local file inclusion. This can lead to reading sensitive configuration files, credentials, or potentially executing code if the included file contains exploitable content. The weakness is a classic CWE‑98 Local File Inclusion, and it can compromise confidentiality and integrity of the site without requiring authentication.

Affected Systems

WordPress sites that use the Elated‑Themes Audrey theme version 1.5 or earlier are affected. The issue is present in all released Audrey theme backups through that version. No other WordPress core or plugin versions are listed in the advisory.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can trigger the flaw via an unauthenticated HTTP request targeting the theme, making exploitation straightforward for anyone with network visibility to the site. While there are currently no publicly known exploits, the lack of authentication combined with a high CVSS suggests the risk of exploitation should be considered significant.

Generated by OpenCVE AI on July 2, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Audrey theme to a version newer than 1.5, or apply the latest vendor‑supplied fix if available.
  • Review theme configuration files for unsanitized file path usage and remove any options that allow user‑supplied file references.
  • Implement web‑application or server‑level input validation to block directory traversal characters (e.g., '..') in file path parameters.

Generated by OpenCVE AI on July 2, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
Title WordPress Audrey theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T12:39:29.644Z

Reserved: 2026-04-27T08:22:05.096Z

Link: CVE-2026-42382

cve-icon Vulnrichment

Updated: 2026-07-02T12:39:26.899Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')