Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Hara theme v1.2.17 contains an improper control of filename for include/require statements in PHP. This allows an attacker to trigger a local file inclusion by supplying a crafted path, potentially reading sensitive files or executing code. The vulnerability classification is CWE‑98. The CVSS score of 8.1 reflects a high‑severity bug that can compromise confidentiality and integrity of the WordPress instance.

Affected Systems

WordPress sites using Thembay's Hara theme at versions 1.2.17 or earlier are affected. Users of the theme should immediately verify their installed version and plan an upgrade if the version is ≤ 1.2.17.

Risk and Exploitability

The EPSS score of less than 1 % indicates a low probability of exploitation today, but the high CVSS score and the nature of the flaw mean that exploitation could result in unauthorized file disclosure or code execution. The vulnerability is not listed in CISA's KEV catalog. Attackers would need to supply a URL or form input that controls the file path; it is unclear whether the path is directory‑traversal restricted, so the attack vector is inferred as remote via crafted web requests.

Generated by OpenCVE AI on April 27, 2026 at 20:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hara theme to a version newer than 1.2.17
  • Ensure that any include/require statements no longer accept user‑controlled paths and that file paths are validated against a whitelist
  • If an upgrade is not immediately possible, remove or disable any functionality that allows user input to specify a file path within the theme

Generated by OpenCVE AI on April 27, 2026 at 20:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thembay
Thembay hara
Wordpress
Wordpress wordpress
Vendors & Products Thembay
Thembay hara
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
Title WordPress Hara theme <= 1.2.17 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thembay Hara
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:31:10.802Z

Reserved: 2025-12-15T10:00:33.669Z

Link: CVE-2025-67980

cve-icon Vulnrichment

Updated: 2026-02-24T20:35:15.255Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:04.323

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T21:00:13Z

Weaknesses