Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements, allowing an attacker to cause a PHP Local File Inclusion. This flaw can enable the attacker to read sensitive files, execute code, or compromise the application, resulting in full compromise of the affected WordPress installation.

Affected Systems

The bug impacts the ThemeREX Berger theme, version 1.1.1 and earlier. Any WordPress site that has this theme installed without updating to a newer release is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is less than 1 percent, suggesting exploitation is unlikely at present, and the vulnerability is not yet listed in CISA’s KEV catalog. The likely attack vector is local user input that can manipulate the include path; if the web server permits write access to the file system or if the attacker can control configuration data, the flaw can lead to code execution. Although preliminary exploitation may be limited, the potential impact warrants prompt mitigation.

Generated by OpenCVE AI on April 29, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX Berger theme to a version newer than 1.1.1 at the earliest convenience.
  • Restrict file permissions on the theme directory to read-only for the web server, preventing arbitrary file writes that could be leveraged for inclusion.
  • Add an .htaccess (or equivalent) in the theme folder to disable PHP execution, for example by adding `php_flag engine off` or denying access to .php files.

Generated by OpenCVE AI on April 29, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex berger
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex berger
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1.
Title WordPress Berger theme <= 1.1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Berger
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:12:49.642Z

Reserved: 2025-06-27T11:59:29.325Z

Link: CVE-2025-53335

cve-icon Vulnrichment

Updated: 2026-03-10T13:31:32.272Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:10.380

Modified: 2026-04-22T21:26:58.303

Link: CVE-2025-53335

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:30:16Z

Weaknesses