Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an improper control of filename for include/require statements in the ThemeREX Plank theme. The flaw, identified as CWE‑98, permits an attacker to influence the filename that the PHP include/require functions load. An attacker can thus read or execute arbitrary local files through the theme’s code, a path that may lead to remote code execution if a malicious file is served.

Affected Systems

WordPress installations that use the ThemeREX Plank theme with any version from the earliest release through version 1.7 inclusive are affected. The vendor is ThemeREX, product Plank. Sites running these versions have the vulnerable include logic in the theme’s PHP files.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity. The EPSS score of less than 1% indicates that, as of this analysis, exploitation is unlikely to be observed in the wild, and it is not listed in the CISA KEV catalog. However, the weakness allows an unauthenticated attacker to influence the local file inclusion path, which could be leveraged to read sensitive files or inject code via PHP files, potentially achieving full site compromise if additional conditions (such as permissive file permissions) are met. The most likely attack vector involves manipulating a URL or form input that controls the filename used in the theme’s include logic, with the attack launched from any site accessible to the attacker.

Generated by OpenCVE AI on April 27, 2026 at 20:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Plank theme to version 1.8 or newer to eliminate the vulnerable include logic.
  • Remove or comment out any custom code within the theme that performs file inclusion based on user input, ensuring that only trusted filenames are used.
  • Restrict file permissions on the site’s file system and apply strict input validation to prevent arbitrary file path manipulation until the theme is updated.

Generated by OpenCVE AI on April 27, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex plank
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex plank
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7.
Title WordPress Plank theme <= 1.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Plank
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:59:46.156Z

Reserved: 2025-12-31T20:13:16.054Z

Link: CVE-2025-69398

cve-icon Vulnrichment

Updated: 2026-02-24T20:32:01.244Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:25.510

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69398

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses