Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in the PeakShops WordPress theme, as indicated by CWE‑98. The flaw permits PHP Local File Inclusion. Based on the description, it is inferred that an attacker could read local files or execute code if the LFI is exploitable, potentially exposing configuration files, credentials, or allowing arbitrary code execution, affecting confidentiality and integrity of the website.

Affected Systems

The PeakShops theme by fuelthemes is vulnerable in all releases prior to 1.5.9. Versions 1.5.9 and later contain the fix. The vulnerability was identified in core theme files that accept filename parameters without validation.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score is less than 1%, suggesting low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. Without a vendor patch, an attacker would need to supply a crafted parameter to trigger the insecure include. The specific attack vector is not detailed in the vendor’s description, but is likely via an HTTP request that passes a filename to the theme’s logic.

Generated by OpenCVE AI on April 28, 2026 at 09:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PeakShops to version 1.5.9 or newer, which removes the insecure include logic.
  • If the update cannot be performed immediately, modify the theme files to validate or sanitize any user‑provided filenames and restrict include paths to a whitelist.
  • After implementing the fix, scan the site for remaining inclusion points and ensure no arbitrary file paths are accepted.

Generated by OpenCVE AI on April 28, 2026 at 09:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Fuelthemes
Fuelthemes peakshops
Wordpress
Wordpress wordpress
Vendors & Products Fuelthemes
Fuelthemes peakshops
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9.
Title WordPress PeakShops theme < 1.5.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Fuelthemes Peakshops
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:52:07.917Z

Reserved: 2025-12-31T20:12:18.799Z

Link: CVE-2025-69322

cve-icon Vulnrichment

Updated: 2026-02-24T20:32:24.855Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:19.393

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69322

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:45:28Z

Weaknesses