Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially leading to code execution
Action: Immediate Patch
AI Analysis

Impact

The Splendour WordPress theme contains an improper control of filename for include/require statements in PHP, allowing local file inclusion. An attacker can supply a crafted file path to the vulnerable code and read or execute arbitrary local files on the server, which could disclose sensitive information or compromise the site if the included file contains executable code.

Affected Systems

Any installation of the ThemeREX Splendour WordPress theme from the earliest release up to and including version 1.23 is potentially affected. Users should verify which version they are running and note that the issue does not apply to versions 1.24 or later.

Risk and Exploitability

The vulnerability scores a CVSS of 8.1, indicating high severity, while the EPSS score is less than 1%, suggesting a lower likelihood of exploitation at this time and it is not listed in the CISA KEV catalog. The likely attack vector is via the theme's file inclusion logic, which can be triggered by a specially crafted request to the site. Although public exploitation evidence is lacking, the high CVSS warrants prompt remediation to prevent possible data exposure or further compromise.

Generated by OpenCVE AI on April 27, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Splendour theme to version 1.24 or later, which resolves the LFI flaw.
  • If an upgrade is not immediately feasible, deactivate or uninstall the Splendour theme to remove the vulnerable code from the production environment.
  • Configure the web server or WordPress to restrict direct access to the theme directory and disable PHP file inclusion for untrusted paths, for example by adding appropriate rules in .htaccess or server configuration files.

Generated by OpenCVE AI on April 27, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex splendour
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex splendour
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23.
Title WordPress Splendour theme <= 1.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Splendour
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:59:25.851Z

Reserved: 2025-12-31T20:13:16.054Z

Link: CVE-2025-69396

cve-icon Vulnrichment

Updated: 2026-02-24T20:32:08.768Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:25.250

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69396

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses