LFI
Monthly
Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.
Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.
Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.
PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.
Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.
Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.
Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.
Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.
Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.
Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.
Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.
Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.
Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.
PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.
Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.
Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.
Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.
Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.
Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.
Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.
Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.
Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.
Local file inclusion in the Atomlab WordPress theme versions 2.4.5 and earlier allows remote unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive information disclosure and remote code execution. The flaw is tracked under CWE-98 (improper control of filename for include/require) and carries a CVSS 3.1 base score of 8.1 (high). No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local File Inclusion in the CodeSupply Co. 'Uppercase' WordPress theme versions prior to 1.2.2 allows remote unauthenticated attackers to include and disclose arbitrary local files from the web server, potentially leading to source code disclosure, credential theft, or remote code execution where log/upload poisoning is feasible. The flaw is tagged as LFI/PHP/Information Disclosure by Patchstack and carries a CVSS 8.1 (High) rating; no public exploit identified at time of analysis.
Unauthenticated Local File Inclusion in the Solene Core WordPress plugin (versions <= 2.3.2) by elated-themes allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The CVSS 8.1 rating reflects full confidentiality, integrity, and availability impact, though high attack complexity suggests non-trivial exploitation prerequisites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Line Agency WordPress theme versions 1.3.1 and earlier allows remote attackers to include and disclose arbitrary local files on the underlying server, potentially leading to sensitive data exposure and, depending on PHP configuration, remote code execution. The flaw is reported by Patchstack and is mapped to CWE-98 (PHP Remote File Inclusion), with no public exploit identified at time of analysis and no listing in the CISA KEV catalog.
Unauthenticated local file inclusion in the ThemeREX Etude WordPress theme versions 1.6 and earlier allows remote attackers to coerce the application into including arbitrary PHP files, potentially leading to source disclosure, sensitive data exposure, and possible remote code execution depending on writable locations on the host. The high CVSS score of 8.1 reflects significant confidentiality, integrity, and availability impact, though the high attack complexity (AC:H) suggests non-trivial preconditions; no public exploit identified at time of analysis.
Local File Inclusion in the ThemeRex Eventicity WordPress theme versions 1.5 and earlier allows remote unauthenticated attackers to include and execute arbitrary local files on the server. The flaw is reported by Patchstack and tagged as PHP information disclosure; no public exploit identified at time of analysis, though the unauthenticated network vector makes this a meaningful priority for affected WordPress sites. Successful exploitation can expose sensitive files such as wp-config.php and may enable code execution depending on what files can be reached.
Unauthenticated local file inclusion in the ThemeRex Gunslinger WordPress theme through version 1.7 allows remote attackers to coerce PHP into including arbitrary files from the server filesystem, leading to disclosure of sensitive files and potential remote code execution where attacker-influenced content can be staged. No public exploit identified at time of analysis, but the flaw is reachable without authentication and affects all installations running version 1.7 or earlier of the theme.
Unauthenticated local file inclusion in ThemeRex Skyward WordPress theme versions 1.10 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server, enabling sensitive file disclosure and potential remote code execution. The flaw is reachable without authentication over the network and no public exploit has been identified at time of analysis, though Patchstack has catalogued the issue in their vulnerability database. CVSS rates the impact as 8.1 (High) reflecting full confidentiality, integrity, and availability compromise despite high attack complexity.
Unauthenticated Local File Inclusion in the ThemeREX Granola WordPress theme through version 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files via attacker-controlled path input. The flaw is reachable over the network without credentials or user interaction and can expose sensitive site files such as wp-config.php, potentially escalating to code execution if log-poisoning or session-file techniques are viable. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local file inclusion in the ThemeRex Gamic WordPress theme versions 1.15 and earlier allows unauthenticated remote attackers to coerce the PHP application into including arbitrary files via crafted parameters. Successful exploitation can expose sensitive configuration data (including wp-config.php) and, depending on server configuration, may escalate to remote code execution through log poisoning or session-file inclusion. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Preservation WordPress theme versions 1.10 and earlier allows remote attackers to read arbitrary files from the underlying web server, with high complexity (AC:H) but no authentication required (PR:N). The flaw, reported by Patchstack and classified as CWE-98 (improper filename control for PHP include/require statements), can lead to disclosure of sensitive files such as wp-config.php and, depending on the inclusion path, potentially full code execution. No public exploit identified at time of analysis and no KEV listing.
Unauthenticated local file inclusion in the ThemeRex Fortius WordPress theme (versions 2.3.0 and earlier) allows remote attackers to include and disclose arbitrary local files on the server via a vulnerable PHP file/path parameter. The flaw maps to CWE-98 (improper control of filename for include/require) and can lead to source code disclosure, leakage of WordPress secrets in wp-config.php, and in some PHP setups remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex Snow Club WordPress theme versions 1.1 and earlier allows remote attackers to include and execute arbitrary local files on the host, leading to sensitive file disclosure and potential remote code execution. The flaw is reported by Patchstack and maps to CWE-98 (PHP file inclusion); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion affects the Dazzle WordPress theme (by ThemeRex) in versions up to and including 1.0.0, allowing remote attackers to read or potentially include arbitrary local files on the server. The flaw stems from improper control of filename parameters used in PHP include/require statements (CWE-98), and no public exploit has been identified at time of analysis. With a CVSS 8.1 reflecting high attack complexity but no authentication, the vulnerability is reachable by anonymous attackers but requires specific conditions to weaponize fully.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local File Inclusion in the Imba WordPress theme versions 1.5.0 and earlier allows remote unauthenticated attackers to read arbitrary files from the underlying server. The flaw is rooted in PHP file-inclusion handling (CWE-98) and has no public exploit identified at time of analysis, but its unauthenticated network reachability makes it a notable risk for sites still running the affected ThemeREX product.
Unauthenticated local file inclusion in the Mikado-Themes ChapterOne WordPress theme (versions 1.7 and earlier) allows remote attackers to coerce the PHP application into including arbitrary local files via crafted requests. Successful exploitation can disclose sensitive files such as wp-config.php and, depending on server configuration, lead to PHP code execution by including attacker-influenced content. No public exploit identified at time of analysis, but the vulnerability is publicly cataloged by Patchstack.
Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.
Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.
Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.
Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.
Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.
Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.
Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.
Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.
Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.
Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.
Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.
Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.
Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.
Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.
Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.
Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).
Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.
Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).
Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.
Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Local File Inclusion in the Select-Themes "Tonda" WordPress theme (all versions through 2.5) lets an authenticated attacker with low privileges coerce a PHP include/require statement into loading arbitrary local files on the server. Tracked as CVE-2026-57805 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating and enables disclosure of sensitive files such as wp-config.php, with potential escalation to code execution via log/session poisoning. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin (versions up to and including 5.11.1) lets an authenticated low-privileged attacker coerce the application into including arbitrary local PHP files, exposing sensitive files and potentially executing attacker-influenced code within the site context. Classified as CWE-98 (PHP Remote/Local File Inclusion) and reported by Patchstack, the flaw carries a CVSS 3.1 base score of 7.5 with high impact across confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and no active exploitation on record.
Local File Inclusion in the Select-Themes Struktur Core WordPress plugin (all versions up to and including 2.5.1) lets an authenticated low-privileged user coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive server-side content such as wp-config.php credentials. Reported by Patchstack and classified under CWE-98 (PHP Remote File Inclusion), the flaw carries a CVSS 3.1 score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. Depending on server configuration, LFI of attacker-influenced content (e.g., poisoned logs or uploaded files) can escalate to PHP code execution.
Local File Inclusion in the Select-Themes "Struktur" WordPress theme (all versions up to and including 2.5.1) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive content such as wp-config.php credentials and, under the right conditions, escalating to code execution. Tracked as CVE-2026-57802 (CWE-98) and reported by Patchstack, it carries a CVSS 7.5 rating; there is no public exploit identified at time of analysis and it is not on CISA KEV. The CVSS vector's PR:L indicates authentication is required and AC:H reflects non-trivial exploitation preconditions.
PHP Local File Inclusion in the Select-Themes SetSail WordPress theme (versions up to and including 2.1) allows an authenticated attacker to coerce the application into including local files via improper control of a filename in an include/require statement. Successful exploitation can disclose sensitive files (e.g., wp-config.php) and, depending on server conditions, escalate to code execution through log poisoning or PHP wrapper abuse. This is a Patchstack-reported issue with no public exploit identified at time of analysis and no CISA KEV listing.
Local File Inclusion in the Edge-Themes 'Overworld' WordPress theme (versions up to and including 1.5) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary server-side files, disclosing sensitive data such as wp-config.php credentials and potentially escalating to code execution via log/session poisoning. The flaw was reported by Patchstack and is classified as CWE-98 (PHP Remote File Inclusion). No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not provided.
Local file inclusion in the uxper Nuss WordPress theme (versions up to and including 1.3.6) lets an authenticated attacker with low-privilege access coerce the theme into including arbitrary PHP-parsable files from the server via improperly controlled include/require paths (CWE-98). Successful exploitation can disclose sensitive files and, depending on what can be included, lead to code execution, with high confidentiality, integrity, and availability impact per the CVSS 7.5 rating. No public exploit identified at time of analysis; the flaw was reported through Patchstack.
Local File Inclusion in the NewsPlus Shortcodes WordPress plugin (versions up to and including 4.2.0) allows an authenticated attacker to coerce the plugin into including arbitrary PHP-processable files from the server, enabling disclosure of sensitive files and potential code execution. The flaw stems from improper control of a filename passed to a PHP include/require statement (CWE-98). No public exploit was identified at the time of analysis, and it is not listed in CISA KEV; risk is moderated by high attack complexity and a required privilege level.
Local File Inclusion in the VLThemes Leedo WordPress theme (versions up to and including 3.0.0) allows authenticated attackers to include and execute arbitrary local files on the server via improper control of a filename passed to a PHP include/require statement. Although classified under PHP Remote File Inclusion (CWE-98), Patchstack characterizes the practical impact as Local File Inclusion, enabling disclosure of sensitive files and potential code execution from locally accessible content. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Kitchor WordPress theme by themelexus (versions up to and including 1.4.3) allows an authenticated attacker to coerce a PHP include/require statement into loading arbitrary local files from the server. Because the theme fails to constrain the filename passed to an include path (CWE-98), an attacker with at least low-level authenticated access can read sensitive files such as wp-config.php and, under the right conditions, escalate to PHP code execution via log poisoning or inclusion of attacker-influenced content. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; the CVSS 3.1 base score is 7.5.
Local file inclusion in the uxper Golo Framework WordPress plugin (versions up to and including 1.7.3) lets an authenticated attacker abuse an improperly validated include/require path to read arbitrary server-side files and potentially execute embedded PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N) indicates network-reachable exploitation requiring low-level authentication and elevated attack complexity, with high impact to confidentiality, integrity, and availability. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Local File Inclusion in the Elated-Themes 'Flow' WordPress theme (all versions up to and including 1.8) lets an authenticated attacker abuse an improperly controlled include/require path to read local files and potentially execute PHP. The CVSS 3.1 vector (AV:N/AC:H/PR:L) indicates a network-reachable but low-privilege, high-complexity flaw. No public exploit identified at time of analysis, and it is not listed in CISA KEV; disclosure comes from Patchstack.
Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.
Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.
Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.
Local File Inclusion in the LA-Studio Element Kit for Elementor WordPress plugin (all versions through 1.6.1) lets authenticated contributors and above coerce the get_type_template function into including arbitrary server-side .php files, enabling access-control bypass, sensitive data disclosure, and full PHP code execution where an attacker can plant a .php file. Reported by Wordfence with a CVSS 3.1 base score of 7.5; no public exploit identified at time of analysis and it is not listed in CISA KEV. The flaw stems from wp_normalize_path being relied upon for path safety even though it only canonicalizes separators and never rejects traversal sequences.
Local File Inclusion in the Happyforms WordPress plugin (all versions through 1.26.12) allows authenticated administrators to include and execute arbitrary PHP files on the server via the happyforms_get_form_partial() function, enabling full remote code execution when the attacker can also upload PHP files. The vulnerability is rooted in unsanitized filename handling (CWE-98) within the form template rendering logic, as evidenced by the affected files class-wp-customize-form-manager.php and helper-form-templates.php. No public exploit code or CISA KEV listing has been identified at time of analysis, and the Administrator-level access prerequisite substantially limits the realistic attacker population.
Local File Inclusion in the WPFunnels WordPress plugin (all versions through 3.12.7) allows authenticated administrators to include and execute arbitrary PHP files on the server via the unsanitized `logKey` parameter, yielding full remote code execution when combined with file upload capability. The attack requires administrator-level WordPress credentials and high complexity - specifically the ability to place a PHP file on the server - materially limiting the exploitable population. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a routine-patching priority tier despite its severe potential impact.
PHP file inclusion in PHPIPAM allows authenticated API users to include and execute arbitrary PHP files from the web server's filesystem, with primary impact on application confidentiality through exposure of sensitive configuration data. Exploitation is gated behind two non-default conditions: the REST API must be deliberately enabled by an administrator, and the attacker must hold valid API credentials - constraining the realistic attack surface substantially. Publicly available exploit code exists per Project Black's research blog, though the vulnerability carries a CVSS 4.0 score of 2.3 and is absent from CISA KEV, reflecting its narrow exploitation prerequisites rather than widespread threat activity.
Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.
Local File Inclusion in the SportsPress Pro WordPress plugin (versions 2.7.29 and earlier) lets an authenticated user holding at least Contributor privileges cause the application to include and disclose arbitrary local files on the server. Because the flaw is rooted in unsafe PHP file inclusion (CWE-98), a successful attacker can read sensitive files such as wp-config.php and, depending on which local files can be included, potentially escalate toward code execution. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, though the finding is documented by Patchstack.
Local File Inclusion in the Shopify (Shopify Help Center) WordPress plugin through version 1.0.0 allows an authenticated user with at least Contributor privileges to include and read arbitrary local files on the server, potentially escalating to code execution via CWE-98-style file-inclusion abuse. The flaw was reported by Patchstack and carries a CVSS 7.5 rating driven by high confidentiality, integrity, and availability impact but with high attack complexity. No public exploit identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the Audrey WordPress theme (elated-themes) affects all versions up to and including 1.5, letting remote attackers coerce the PHP application into including arbitrary files. Because CWE-98 covers PHP file-inclusion flaws, a successful include can leak sensitive files (wp-config.php, credentials) and, where remote or attacker-controlled content is includable, escalate to code execution. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, though the network-reachable, unauthenticated nature (CVSS 8.1) makes it a meaningful patching priority for sites running this theme.
Local File Inclusion in the Pearl - Corporate Business WordPress theme (StyleMixThemes) versions 3.4.10 and earlier lets unauthenticated remote attackers coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and credentials. Rated CVSS 8.1 by Patchstack, the flaw requires no authentication (PR:N) but carries high attack complexity (AC:H), and depending on include handling could escalate from information disclosure toward code execution. There is no public exploit identified at time of analysis, no CISA KEV listing, and no EPSS score supplied in the source data.
Local File Inclusion in the GoodLayers Tourmaster WordPress plugin (versions <= 5.4.5) allows low-privileged authenticated users at the Subscriber level to include and read arbitrary local files from the server, exposing sensitive data such as configuration files and credentials. Reported through Patchstack and mapped to CWE-98, the flaw carries a CVSS 7.5 (High) score with high attack complexity; no public exploit code has been identified at time of analysis, and it is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the AncoraThemes 'Lighthouse' WordPress theme (versions 1.2.12 and earlier, classified under CWE-98) lets remote attackers with no credentials coerce the theme's PHP include/require logic into loading attacker-influenced file paths. Because CWE-98 covers PHP remote/local file inclusion, a successful attack can disclose sensitive server files (wp-config.php, credentials) and, depending on server configuration, escalate to code execution, which is why NVD scores full C/I/A impact. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
Arbitrary zero-argument PHP function invocation in the Youtube Showcase (Video Gallery - YouTube Gallery, Playlist & Video Grid) plugin for WordPress affects all versions up to and including 4.0.3, letting authenticated Subscriber-level users abuse the emd_delete_file() AJAX handler to call any callable PHP function name with no arguments. Because the handler validates only a nonce and omits a current_user_can() capability check, low-privileged accounts can trigger functions such as phpinfo(), get_defined_vars(), or error_get_last() to disclose sensitive server and application data. No public exploit identified at time of analysis and the issue is not in CISA KEV, so risk is currently theoretical but credible given the low privilege bar.
Local File Inclusion in the Panorama Viewer - 360 Degree Image + Video Viewer WordPress plugin (versions 1.6.1 and earlier) allows authenticated users with Contributor-level access to coerce the application into including arbitrary local files on the server. Cataloged under CWE-98 and reported by Patchstack, the flaw can expose sensitive files (e.g., wp-config.php credentials) and, depending on server conditions, escalate toward code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV; the CVSS 3.1 base score is 7.5 with high attack complexity.
Local File Inclusion in the Goya Core WordPress plugin (versions before 1.0.9.4) lets authenticated Contributor-level users coerce the application into including arbitrary local files, exposing sensitive server-side content such as configuration files and PHP source. Reported by Patchstack and classified CWE-98, the flaw carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L), and no public exploit identified at time of analysis. Exploitation requires a valid low-privilege account and the high attack complexity reflects non-trivial preconditions.
Local File Inclusion in the Splash - Sport Club WordPress theme (versions 4.4.3 and earlier) lets an authenticated Contributor-level user supply a controlled filename to a PHP include/require sink, exposing local server files and potentially escalating to code execution. The flaw was reported by Patchstack and carries a CVSS 7.5; no public exploit identified at time of analysis, and it is not listed in CISA KEV. Exploitation requires an existing low-privilege account and overcomes elevated attack complexity, narrowing realistic abuse to multi-author sites.
Unauthenticated local file inclusion in the WordPress 'Meta Data and Taxonomy Filter' (MDTF) plugin by pluginus.net affects all versions up to and including 1.3.8, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Per its CVSS:3.1 vector (AV:N/PR:N), exploitation is network-reachable and unauthenticated, though the high attack complexity (AC:H) implies non-trivial preconditions. This is classified as information disclosure but rated 8.1 with full C/I/A impact; there is no public exploit identified at time of analysis and it is not on the CISA KEV list.
Joomla!. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Unauthenticated remote code execution in BetterDocs Pro for WordPress (versions through 3.8.0) is achievable by abusing the `doc_style` parameter to include arbitrary local PHP files. Wordfence has assigned a critical 9.8 CVSS score, and while no public exploit identified at time of analysis, the unauthenticated network-reachable nature of the flaw on a widely deployed WordPress documentation plugin makes opportunistic mass-exploitation likely once details propagate.
Local file inclusion in CakePHP's View::_getElementFileName() allows remote attackers to include arbitrary PHP files from the server filesystem when applications render view elements using user-controlled data. Affected versions span multiple major release lines across 4.x and 5.x branches, with patched releases now available from the vendor. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; however, the developer-pattern dependency — user input passed unsanitized into element names — limits but does not eliminate real-world risk.
Local file inclusion in StylemixThemes Motors WordPress plugin versions up to and including 1.4.109 allows remote attackers to include arbitrary PHP files from the server filesystem. The flaw is classified as CWE-98 (PHP Remote File Inclusion) but is exploitable only as LFI per the vendor description, enabling source code disclosure, sensitive file read, and potential code execution if a writable PHP file can be reached. No public exploit identified at time of analysis and the vulnerability is not present in CISA KEV.
Local file inclusion in the Atomlab WordPress theme versions 2.4.5 and earlier allows remote unauthenticated attackers to include arbitrary PHP files on the server, potentially leading to sensitive information disclosure and remote code execution. The flaw is tracked under CWE-98 (improper control of filename for include/require) and carries a CVSS 3.1 base score of 8.1 (high). No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local File Inclusion in the CodeSupply Co. 'Uppercase' WordPress theme versions prior to 1.2.2 allows remote unauthenticated attackers to include and disclose arbitrary local files from the web server, potentially leading to source code disclosure, credential theft, or remote code execution where log/upload poisoning is feasible. The flaw is tagged as LFI/PHP/Information Disclosure by Patchstack and carries a CVSS 8.1 (High) rating; no public exploit identified at time of analysis.
Unauthenticated Local File Inclusion in the Solene Core WordPress plugin (versions <= 2.3.2) by elated-themes allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The CVSS 8.1 rating reflects full confidentiality, integrity, and availability impact, though high attack complexity suggests non-trivial exploitation prerequisites. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Line Agency WordPress theme versions 1.3.1 and earlier allows remote attackers to include and disclose arbitrary local files on the underlying server, potentially leading to sensitive data exposure and, depending on PHP configuration, remote code execution. The flaw is reported by Patchstack and is mapped to CWE-98 (PHP Remote File Inclusion), with no public exploit identified at time of analysis and no listing in the CISA KEV catalog.
Unauthenticated local file inclusion in the ThemeREX Etude WordPress theme versions 1.6 and earlier allows remote attackers to coerce the application into including arbitrary PHP files, potentially leading to source disclosure, sensitive data exposure, and possible remote code execution depending on writable locations on the host. The high CVSS score of 8.1 reflects significant confidentiality, integrity, and availability impact, though the high attack complexity (AC:H) suggests non-trivial preconditions; no public exploit identified at time of analysis.
Local File Inclusion in the ThemeRex Eventicity WordPress theme versions 1.5 and earlier allows remote unauthenticated attackers to include and execute arbitrary local files on the server. The flaw is reported by Patchstack and tagged as PHP information disclosure; no public exploit identified at time of analysis, though the unauthenticated network vector makes this a meaningful priority for affected WordPress sites. Successful exploitation can expose sensitive files such as wp-config.php and may enable code execution depending on what files can be reached.
Unauthenticated local file inclusion in the ThemeRex Gunslinger WordPress theme through version 1.7 allows remote attackers to coerce PHP into including arbitrary files from the server filesystem, leading to disclosure of sensitive files and potential remote code execution where attacker-influenced content can be staged. No public exploit identified at time of analysis, but the flaw is reachable without authentication and affects all installations running version 1.7 or earlier of the theme.
Unauthenticated local file inclusion in ThemeRex Skyward WordPress theme versions 1.10 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server, enabling sensitive file disclosure and potential remote code execution. The flaw is reachable without authentication over the network and no public exploit has been identified at time of analysis, though Patchstack has catalogued the issue in their vulnerability database. CVSS rates the impact as 8.1 (High) reflecting full confidentiality, integrity, and availability compromise despite high attack complexity.
Unauthenticated Local File Inclusion in the ThemeREX Granola WordPress theme through version 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files via attacker-controlled path input. The flaw is reachable over the network without credentials or user interaction and can expose sensitive site files such as wp-config.php, potentially escalating to code execution if log-poisoning or session-file techniques are viable. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local file inclusion in the ThemeRex Gamic WordPress theme versions 1.15 and earlier allows unauthenticated remote attackers to coerce the PHP application into including arbitrary files via crafted parameters. Successful exploitation can expose sensitive configuration data (including wp-config.php) and, depending on server configuration, may escalate to remote code execution through log poisoning or session-file inclusion. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Preservation WordPress theme versions 1.10 and earlier allows remote attackers to read arbitrary files from the underlying web server, with high complexity (AC:H) but no authentication required (PR:N). The flaw, reported by Patchstack and classified as CWE-98 (improper filename control for PHP include/require statements), can lead to disclosure of sensitive files such as wp-config.php and, depending on the inclusion path, potentially full code execution. No public exploit identified at time of analysis and no KEV listing.
Unauthenticated local file inclusion in the ThemeRex Fortius WordPress theme (versions 2.3.0 and earlier) allows remote attackers to include and disclose arbitrary local files on the server via a vulnerable PHP file/path parameter. The flaw maps to CWE-98 (improper control of filename for include/require) and can lead to source code disclosure, leakage of WordPress secrets in wp-config.php, and in some PHP setups remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex Snow Club WordPress theme versions 1.1 and earlier allows remote attackers to include and execute arbitrary local files on the host, leading to sensitive file disclosure and potential remote code execution. The flaw is reported by Patchstack and maps to CWE-98 (PHP file inclusion); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion affects the Dazzle WordPress theme (by ThemeRex) in versions up to and including 1.0.0, allowing remote attackers to read or potentially include arbitrary local files on the server. The flaw stems from improper control of filename parameters used in PHP include/require statements (CWE-98), and no public exploit has been identified at time of analysis. With a CVSS 8.1 reflecting high attack complexity but no authentication, the vulnerability is reachable by anonymous attackers but requires specific conditions to weaponize fully.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local File Inclusion in the Imba WordPress theme versions 1.5.0 and earlier allows remote unauthenticated attackers to read arbitrary files from the underlying server. The flaw is rooted in PHP file-inclusion handling (CWE-98) and has no public exploit identified at time of analysis, but its unauthenticated network reachability makes it a notable risk for sites still running the affected ThemeREX product.
Unauthenticated local file inclusion in the Mikado-Themes ChapterOne WordPress theme (versions 1.7 and earlier) allows remote attackers to coerce the PHP application into including arbitrary local files via crafted requests. Successful exploitation can disclose sensitive files such as wp-config.php and, depending on server configuration, lead to PHP code execution by including attacker-influenced content. No public exploit identified at time of analysis, but the vulnerability is publicly cataloged by Patchstack.
Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.
Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.
Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.
Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.
Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.
Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.
Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.
Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.
Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.
Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.
Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.
Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.
Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.
Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.
Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.
Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).
Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.
Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).
Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.
Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.