Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleng soleng allows PHP Local File Inclusion.This issue affects Soleng: from n/a through <= 1.0.5.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Soleng theme for WordPress contains a Local File Inclusion flaw that permits an attacker to supply a filename to an include/require statement. Based on the description, it is inferred that this weakness allows the attacker to read arbitrary files from the local filesystem, potentially exposing sensitive data. This vulnerability, labeled as CWE-98, threatens confidentiality and integrity by making local files accessible to unauthorized parties.

Affected Systems

The issue affects the Soleng theme from axiomthemes, for all releases up to and including version 1.0.5. Any site using versions up to 1.0.5 is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is classified as critical. The EPSS score is below 1 %, indicating a very low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that LFI can be triggered by any user who can influence the include parameter, giving the attacker broad potential for exploitation. The likely attack vector involves crafting a request that supplies a crafted filename to the vulnerable code path, triggering unintended file inclusion.

Generated by OpenCVE AI on April 17, 2026 at 17:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Soleng theme to a version later than 1.0.5
  • Employ input validation and sanitization on any user-supplied filenames that are passed to include/require calls
  • Configure PHP to disable allow_url_include and other remote file inclusion mechanisms

Generated by OpenCVE AI on April 17, 2026 at 17:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 24 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes soleng
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes soleng
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleng soleng allows PHP Local File Inclusion.This issue affects Soleng: from n/a through <= 1.0.5.
Title WordPress Soleng theme <= 1.0.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Soleng
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:01.946Z

Reserved: 2026-01-07T12:21:29.301Z

Link: CVE-2026-22365

cve-icon Vulnrichment

Updated: 2026-02-24T18:37:19.880Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:35.517

Modified: 2026-04-23T15:36:27.893

Link: CVE-2026-22365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:30:23Z

Weaknesses