Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes FiveStar fivestar allows PHP Local File Inclusion.This issue affects FiveStar: from n/a through <= 1.7.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling code execution or data disclosure
Action: Apply patch
AI Analysis

Impact

The vulnerability resides in Mikado‑Themes FiveStar theme version 1.7 or earlier, where an include/require statement accepts unsanitized filenames. An attacker can potentially supply a path that causes the application to read arbitrary files or even execute malicious PHP scripts. This flaw is catalogued as CWE‑98 and could lead to the disclosure of sensitive information or the execution of harmful code if the included file contains executable content.

Affected Systems

WordPress installations that use the FiveStar theme from Mikado‑Themes, specifically all releases up to and including version 1.7. Any site deploying these versions is susceptible; newer versions are not affected.

Risk and Exploitability

The CVSS base score of 8.1 marks the flaw as high severity. The EPSS score of less than 1% indicates a currently low likelihood of exploitation, though this may change as attackers discover ways to bypass controls. The vulnerability is not listed in CISA's KEV catalog. Exploitation would likely require the attacker to influence the indicated filename string, potentially through URL manipulation or by creating a crafted file on the local server. Successful exploitation could permit reading of restricted files or execution of arbitrary code, thereby compromising confidentiality, integrity, and availability of the affected WordPress site.

Generated by OpenCVE AI on April 16, 2026 at 06:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FiveStar theme to a version newer than 1.7, ensuring the include/require logic has been sanitized
  • If an update is not feasible, disable or remove the vulnerable theme module and replace it with a secure alternative
  • Reduce the potential attack surface by configuring the web server to restrict direct access to PHP files and enforcing strict file permissions on the site's file system

Generated by OpenCVE AI on April 16, 2026 at 06:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes fivestar
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes fivestar
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes FiveStar fivestar allows PHP Local File Inclusion.This issue affects FiveStar: from n/a through <= 1.7.
Title WordPress FiveStar theme <= 1.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Fivestar
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:33.497Z

Reserved: 2026-01-07T12:21:19.919Z

Link: CVE-2026-22344

cve-icon Vulnrichment

Updated: 2026-02-24T20:31:24.244Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:33.357

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses