Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.
Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.
AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.
AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.
Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.
Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.
Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.
The Welldone WordPress theme through version 2.4 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated remote attackers to read arbitrary files from the affected server. With a CVSS score of 8.1, this vulnerability allows full compromise of confidentiality and integrity without requiring user interaction. No patch is currently available, making immediate mitigation through other means necessary.
Remote attackers can include arbitrary local files in the smartSEO WordPress theme (≤2.9) via a PHP Local File Inclusion vulnerability, potentially exposing sensitive configuration data or enabling server-side code execution. Despite high CVSS (8.1), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or CISA KEV listing. The vulnerability requires specific preconditions that increase attack complexity (AC:H), though exploitation succeeds without authentication or user interaction once conditions are met.
Local file inclusion in ThemeREX Muzicon WordPress theme versions ≤1.9.0 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite a CVSS score of 8.1, real-world risk is moderated by high attack complexity (AC:H) and no confirmed active exploitation - EPSS probability is only 0.15% (36th percentile). The Patchstack report confirms the vulnerability but no public exploit code has been identified at time of analysis.
Local File Inclusion (LFI) in ThemeREX Save Life WordPress theme versions 1.2.13 and earlier enables remote unauthenticated attackers to read arbitrary files from the server filesystem and potentially achieve code execution by including uploaded or log files. Despite the network attack vector (AV:N), high attack complexity (AC:H) suggests successful exploitation requires specific server configurations or carefully crafted payloads. EPSS score of 0.15% (36th percentile) indicates low current exploitation probability, and no active exploitation is confirmed per CISA KEV or public exploit databases at time of analysis.
Local file inclusion in Artrium WordPress theme versions ≤1.0.14 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper file inclusion controls. Despite a high CVSS 8.1 score, EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world targeting. The vulnerability was disclosed by Patchstack's audit team with no confirmed active exploitation or public POC at time of analysis, though LFI vulnerabilities in WordPress themes are commonly targeted once proof-of-concept code becomes available.
Remote file inclusion vulnerability in ThemeREX WealthCo WordPress theme versions up to 2.18 allows unauthenticated remote attackers to include and execute arbitrary PHP files via manipulated filename parameters. Despite CVSS 8.1 rating, EPSS exploitation probability is low (0.15%, 36th percentile) with no CISA KEV listing or public exploit identified at time of analysis. Vulnerability stems from improper validation of file paths in PHP include/require statements, though attack complexity is rated High, suggesting specific conditions or chained exploitation required.
Local file inclusion in ThemeREX Marcell WordPress theme versions ≤1.2.14 allows remote attackers to read arbitrary files from the server filesystem and potentially execute malicious code. The vulnerability stems from improper validation of file paths in PHP include/require statements. Exploitation probability is low (EPSS 0.15%) with no confirmed active exploitation or public proof-of-concept at time of analysis. Discovered and reported by Patchstack's security audit team.
Local file inclusion in ThemeREX RexCoin WordPress theme versions up to 1.2.6 allows remote attackers to read arbitrary files and potentially achieve code execution without authentication. Despite the high CVSS score of 8.1, the low EPSS percentile (36%) and AC:H complexity suggest limited active exploitation. Patchstack audit team reported this vulnerability with proof-of-concept available, indicating realistic exploit feasibility against improperly configured installations.
Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.
Local File Inclusion in ThemeREX Sounder WordPress theme versions through 1.3.11 enables remote attackers to include and execute arbitrary local PHP files without authentication. Despite the CVE title referencing 'Remote File Inclusion', technical analysis and Patchstack classification confirm this is a Local File Inclusion (LFI) vulnerability. With EPSS at 0.15% (36th percentile), widespread exploitation is unlikely, but successful attacks achieve high impact across confidentiality, integrity, and availability. No active exploitation confirmed via CISA KEV at time of analysis.
Local file inclusion in ThemeREX Coleo WordPress theme (versions ≤1.1.7) allows remote attackers to read arbitrary files and potentially execute PHP code via crafted file path manipulation. Despite high CVSS 8.1, exploitation requires high attack complexity (AC:H), and EPSS score of 0.15% (36th percentile) suggests limited real-world exploitation activity. No CISA KEV listing indicates this is not confirmed as actively exploited, though Patchstack database inclusion suggests security researcher identification and likely proof-of-concept existence.
Local file inclusion (LFI) vulnerability in ThemeREX Gamezone WordPress theme versions up to 1.1.11 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. The CVSS score of 8.1 reflects high complexity exploitation requiring specific conditions, while the low EPSS score (0.15%, 36th percentile) indicates minimal observed exploitation attempts in the wild. No active exploitation confirmed by CISA KEV at time of analysis.
PHP Local File Inclusion in ThemeREX Daiquiri WordPress theme versions ≤1.2.4 allows remote attackers to read arbitrary files or execute PHP code by exploiting improper filename control in include/require statements. Despite high CVSS (8.1), real-world risk is moderate: EPSS exploitation probability is low (0.15%, 36th percentile), no confirmed active exploitation exists, and attack complexity is high (AC:H). Patchstack audit identified this vulnerability, suggesting professional security review but no public exploit code at time of analysis.
Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.
Local file inclusion in ThemeREX Filmax WordPress theme versions ≤1.1.11 enables remote attackers to read arbitrary files from the web server and potentially execute malicious code. The vulnerability stems from improper filename validation in PHP include/require statements, categorized as CWE-98. Despite a CVSS score of 8.1, EPSS probability is low (0.15%, 36th percentile), suggesting targeted rather than widespread exploitation. Patchstack database identifies this as affecting information disclosure through LFI techniques, with no confirmed active exploitation or KEV listing at time of analysis.
Local file inclusion vulnerability in ThemeREX Run Gran WordPress theme versions through 2.0 allows remote attackers to read arbitrary files from the web server filesystem via crafted PHP include statements. Despite the moderate EPSS score (0.15%, 36th percentile), the high-complexity attack vector suggests exploitation requires specific knowledge of file paths or application structure. No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept code identified at time of analysis. Patchstack has documented this vulnerability, indicating awareness within the WordPress security community.
Local file inclusion in ThemeREX Mahogany WordPress theme versions through 2.9 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem via manipulated PHP include/require statements. While classified as high-severity (CVSS 8.1), real-world exploitation risk appears moderate given the EPSS score of 0.15% (36th percentile) and high attack complexity rating. No active exploitation or public exploit code identified at time of analysis. Patchstack security audit identified and disclosed this vulnerability.
PHP Local File Inclusion in ThemeREX Bazinga theme for WordPress (versions ≤1.1.9) allows remote unauthenticated attackers to include and execute arbitrary local files via improper filename control in require/include statements. Despite high CVSS 8.1 severity, EPSS exploitation probability is low (0.15%, 36th percentile), and no active exploitation or public POC has been identified at time of analysis. Patchstack database reports this as both a local file inclusion vector and potential information disclosure issue, suggesting exploitation could lead to code execution through PHP file inclusion or exposure of sensitive configuration data.
Local file inclusion in the ThemeREX Windsor WordPress theme allows remote attackers to include and execute arbitrary PHP files on the server through improper filename control. Affects all versions through 2.5.0. Despite CVSS 8.1 (High), EPSS indicates low exploitation probability (0.15%, 36th percentile), suggesting limited attacker interest. No active exploitation confirmed via CISA KEV at time of analysis. Patchstack database lists this vulnerability with PHP and information disclosure tags, indicating potential for data exfiltration beyond code execution.
Local File Inclusion in Conquerors WordPress theme 1.2.13 and earlier enables remote attackers to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive data. Despite a CVSS score of 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public POC at time of analysis. However, the network-accessible attack vector with no authentication requirement makes this a priority for sites running the affected theme.
Local file inclusion in ThemeREX Vapester WordPress theme versions ≤1.1.10 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. Despite high CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited observed exploitation attempts. No active exploitation confirmed by CISA KEV, though Patchstack database listing indicates vulnerability is known to security researchers.
Local file inclusion in ThemeREX Le Truffe WordPress theme versions up to 1.1.7 enables remote attackers to read arbitrary files from the web server without authentication. While CVSS scores 8.1 (High), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation. The vulnerability stems from improper filename control in PHP include/require statements, allowing path traversal to access sensitive server files. No public exploit code identified at time of analysis.
Local File Inclusion in ThemeREX Rhythmo WordPress theme through version 1.3.4 allows remote unauthenticated attackers to read arbitrary files on the server and potentially achieve remote code execution through log file poisoning or PHP wrapper exploitation. Despite network attack vector (AV:N) and high impact ratings (C:H/I:H/A:H), EPSS probability remains low at 0.15%, and no active exploitation has been confirmed in CISA KEV. Attack complexity is rated HIGH (AC:H), indicating specific conditions or timing required for successful exploitation.
Local File Inclusion vulnerability in ThemeREX Bassein WordPress theme versions up to 1.0.15 allows remote unauthenticated attackers to include and execute arbitrary PHP files on the server via improper filename handling. Despite CVSS 8.1 High severity, EPSS exploitation probability is only 0.15% (36th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public exploit code identified at time of analysis. Patchstack advisory indicates this is a PHP file inclusion flaw affecting theme installations.
Local file inclusion in ThemeREX Legrand WordPress theme versions ≤2.17 allows remote attackers to read arbitrary files from the server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or public exploit code. Reported by Patchstack security research team, this represents a moderate real-world risk primarily for installations where attackers can control file path parameters.
Local file inclusion in ThemeREX Eject WordPress theme versions up to 2.17 enables remote attackers to read arbitrary files on the server or execute PHP code without authentication. Despite high CVSS 8.1 severity, EPSS exploitation probability remains low at 0.15% (36th percentile) with no confirmed active exploitation. Patchstack security audit identified the vulnerability as a PHP file inclusion flaw allowing information disclosure through improper filename control in include/require statements.
Local file inclusion in ThemeREX Edge Decor WordPress theme through version 2.2 allows remote attackers to read arbitrary files on the server and potentially execute code via improper control of PHP include/require statements. Despite a CVSS score of 8.1, real-world exploitation risk appears moderate with EPSS at 0.15% (36th percentile) and no evidence of active exploitation or public POC. Attack complexity is rated high (AC:H), suggesting exploitation requires specific conditions beyond default configuration.
Local file inclusion in ThemeREX Asia Garden WordPress theme (versions ≤1.3.1) allows remote attackers to include and execute arbitrary PHP files on the server. Despite a CVSS base score of 8.1 (High), the EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability in the wild. The vulnerability requires high attack complexity (AC:H) but no authentication (PR:N), enabling unauthenticated remote exploitation under specific conditions. Patchstack database confirmed this LFI vulnerability affecting WordPress installations using this theme.
Local file inclusion in ThemeREX Happy Baby WordPress theme versions ≤1.2.12 allows remote unauthenticated attackers to read arbitrary files from the web server and potentially execute PHP code. Patchstack reported this vulnerability (CWE-98) affecting file inclusion controls, though EPSS probability remains low at 0.15% with no confirmed active exploitation. The CVSS vector indicates network-based attack with high complexity but no authentication requirement, enabling confidentiality, integrity, and availability compromise.
Local file inclusion in ThemeREX Tiger Claw WordPress theme allows remote attackers to read arbitrary files from the web server and potentially execute code. Affects versions up to and including 1.1.14. Despite a high CVSS score of 8.1, the EPSS probability is low at 0.15% (36th percentile), suggesting limited exploitation attempts observed to date. No active exploitation confirmed by CISA KEV, though the vulnerability was reported by Patchstack's security research team.
Local file inclusion in ThemeREX S.King WordPress theme through version 1.5.3 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute PHP code via path manipulation in include/require statements. Despite the 8.1 CVSS score reflecting high severity, EPSS exploitation probability is low (0.15%, 36th percentile) and no active exploitation or public POC has been reported. Patchstack audit team disclosed this vulnerability affecting WordPress deployments using this theme.
Local File Inclusion (LFI) vulnerability in ThemeREX Dermatology Clinic WordPress theme versions ≤1.4.3 allows remote attackers to include and execute arbitrary PHP files on the server. Despite CVSS 8.1, EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation. Patchstack database confirms the vulnerability but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world targeting of this WordPress theme.
Local file inclusion in ThemeREX Dixon WordPress theme through version 1.4.2.1 allows remote attackers to read arbitrary files from the server filesystem without authentication. Despite high attack complexity (AC:H), this vulnerability enables unauthorized access to sensitive configuration files, credentials, and potentially source code. EPSS score of 0.15% (36th percentile) indicates low probability of mass exploitation, consistent with targeting of a specific premium WordPress theme. No active exploitation confirmed (not in CISA KEV), but Patchstack public disclosure increases attack surface visibility.
Local file inclusion in ThemeREX Mandala WordPress theme versions ≤2.8 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper filename control in include/require statements. Despite a CVSS score of 8.1, the EPSS probability remains low (0.15%, 36th percentile), suggesting limited attacker interest or exploitation barriers. No active exploitation or public proof-of-concept has been identified, and the vulnerability requires high attack complexity (AC:H), indicating specific conditions must be met for successful exploitation.
Local file inclusion in MCKinney's Politics WordPress theme versions ≤1.2.8 allows remote attackers to read arbitrary files on the server via path traversal in include/require statements. Despite the high CVSS score (8.1), EPSS probability is low (0.15%, 36th percentile) and no active exploitation is documented. Patchstack has cataloged this as a confirmed vulnerability affecting the ThemeREX-developed WordPress theme, enabling information disclosure through improper input validation in PHP file inclusion functions.
Local file inclusion in the M.Williamson WordPress theme through version 1.2.11 enables remote attackers to read arbitrary files from the server filesystem without authentication. Despite high-complexity exploitation barriers (CVSS AC:H), this vulnerability carries an 8.1 CVSS score due to complete compromise of confidentiality and integrity if successfully exploited. EPSS score of 0.15% (36th percentile) suggests low probability of mass exploitation. No active exploitation confirmed via CISA KEV, though Patchstack database inclusion indicates researcher discovery and analysis.
Local file inclusion in Legal Stone WordPress theme 1.2.11 and earlier allows remote attackers to read arbitrary files and potentially execute malicious code through improper filename control in PHP include/require statements. Exploitation probability remains low (EPSS 0.15%, 36th percentile) with no confirmed active exploitation, though the network-accessible attack vector and lack of authentication requirements present material risk for sites using this theme. Patchstack database reports this vulnerability affecting all versions through 1.2.11.
Local file inclusion in ThemeREX Miller WordPress theme through version 1.3.3 allows remote unauthenticated attackers to read arbitrary files and potentially execute malicious code via improper PHP include/require statement handling. CVSS rates this 8.1 (High) but EPSS exploitation probability is low at 0.15% (36th percentile), indicating targeted rather than widespread exploitation risk. Patchstack has documented this vulnerability but no CISA KEV listing exists, suggesting no confirmed active exploitation campaigns at time of analysis.
Local file inclusion in ThemeREX Peter Mason WordPress theme versions up to 1.4.5 allows remote unauthenticated attackers to include and execute arbitrary PHP files from the server's filesystem. The vulnerability stems from improper validation of file paths in include/require statements (CWE-98), enabling attackers to read sensitive files, execute malicious code, or escalate privileges. EPSS score of 0.15% (36th percentile) indicates relatively low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack security research identified this flaw, suggesting security researchers are aware but widespread targeting is not yet evident.
Local file inclusion in ThemeREX Yacht Rental theme versions through 2.6 enables remote attackers to read arbitrary files on the web server without authentication. The vulnerability stems from improper validation of include/require statements, classified as CWE-98 (PHP Remote File Inclusion). While CVSS scores 8.1 (High), the low EPSS score (0.15%, 36th percentile) suggests minimal observed exploitation activity. Patchstack audit team identified and reported this WordPress theme vulnerability, which affects default configurations requiring no special prerequisites beyond network access to the WordPress installation.
Local file inclusion in ThemeREX Beacon WordPress theme versions ≤2.24 allows remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. Despite high-attack-complexity requirements (CVSS AC:H), this enables unauthenticated access to sensitive configuration files, credentials, and application source code. No public exploit identified at time of analysis, with low EPSS score (0.15%, 36th percentile) suggesting minimal observed exploitation activity. Patchstack advisory available but patched release version not independently confirmed.
Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.
Local file inclusion in FlashMart theme versions ≤2.0.15 allows remote attackers to read arbitrary files on the server through improper filename validation in PHP include/require statements. With CVSS 8.1 (High) and CWE-98 classification, attackers can potentially access sensitive configuration files, credentials, and application source code. EPSS exploitation probability is low (0.15%, 36th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the flaw affects the WordPress theme variant.