Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The flaw involves improper control over the filename used in a PHP include/require statement within the WordPress ThemeREX R&F theme. Because the theme does not sanitize the file path, an attacker can manipulate it to read local files on the server, potentially exposing sensitive configuration data, credentials, or enabling the inclusion of malicious code that could lead to remote code execution. This weakness is classified as CWE‑98.

Affected Systems

WordPress installations that use the ThemeREX R&F theme version 1.5 or older are affected. Any deployment with the R&F theme at or below version 1.5 can be exploited, while later releases are presumed to have the issue removed.

Risk and Exploitability

The CVSS score of 8.1 denotes a high severity, indicating potential compromise of confidentiality, integrity, and availability. The EPSS score of less than 1 percent signals that the vulnerability is unlikely to be actively exploited at present, and it is not listed in the CISA KEV catalog. Attackers could exploit the LFI by manipulating configuration options or request parameters that the theme processes for file inclusion, but would need some level of access to the WordPress admin interface or the ability to influence theme settings.

Generated by OpenCVE AI on April 27, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeREX R&F WordPress theme to the latest available version or replace it with a secure alternative that does not contain the vulnerable code.
  • Disable PHP’s allow_url_include directive and limit the include path in the server configuration so that only trusted directories can be accessed via include/require statements.
  • Deploy a Web Application Firewall and configure it to block patterns consistent with file inclusion attempts, while also monitoring logs for suspicious activity.

Generated by OpenCVE AI on April 27, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex r&f
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex r&f
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5.
Title WordPress R&F theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex R&f
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T21:00:22.984Z

Reserved: 2025-12-31T20:13:23.066Z

Link: CVE-2025-69402

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:48.608Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:26.027

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:15:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')