WordPress Printo theme <= 1.11 - Local File Inclusion vulnerability
Description
A local file inclusion vulnerability in the Printo WordPress theme <=1.11 allows unauthenticated attackers to read arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local file inclusion vulnerability in the Printo WordPress theme <=1.11 allows unauthenticated attackers to read arbitrary files.
Vulnerability
The Printo WordPress theme versions prior to and including 1.11 contain an unauthenticated local file inclusion (LFI) vulnerability [1]. The bug allows an attacker to include arbitrary local files from the server, exposing their content in the response. The exact vulnerable code path is in the theme's file handling logic, which does not properly validate user-supplied input before including files. No authentication or special configuration is required to reach the vulnerable code [1]. The affected version is 1.11 and all earlier versions.
Exploitation
An attacker can exploit this vulnerability remotely without any prior authentication [1]. The exploitation requires only HTTP access to a site running the vulnerable theme. By crafting a malicious request with a manipulated file path parameter, the attacker can read arbitrary files on the server, such as /etc/passwd or WordPress configuration files containing database credentials [1]. The attack does not require any user interaction or special privileges, making it suitable for large-scale automated scanning.
Impact
Successful exploitation allows an attacker to read sensitive local files, including those containing database credentials [1]. This can lead to complete database compromise depending on server configuration. The impact includes information disclosure of sensitive data stored in files, which could be used for further attacks. The vulnerability is rated with a CVSS score of 8.1 (High) due to the ease of exploitation and potential for significant data exposure [1].
Mitigation
A patched version has not been explicitly mentioned in the available references [1]. Users are strongly advised to update to the latest version of the Printo theme immediately if a fix is available [1]. As a workaround, if an update is not possible, users should consult their hosting provider or web developer for assistance in implementing file access restrictions [1]. This vulnerability has been flagged as likely to be used in mass-exploit campaigns.
AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026