Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling arbitrary code execution
Action: Update Theme
AI Analysis

Impact

This vulnerability arises from an improper control of the filename used in PHP include/require statements within the Redy WordPress theme. The flaw allows an attacker to influence which file is included, leading to Local File Inclusion. Depending on the attacker’s access to the server, this can result in sensitive information disclosure and, if a malicious file can be served, remote code execution. The weakness is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high potential for damage if exploited.

Affected Systems

All installations of the Redy theme by axiomthemes with a version of 1.0.2 or earlier are affected. No further sub‑version details were provided, so any build of Redy released before or at 1.0.2 is vulnerable.

Risk and Exploitability

The estimated exploit probability is low, with an EPSS score of less than 1%. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the defect can be exploited locally on the WordPress installation and requires the attacker to trigger the include with a crafted filename. While the low EPSS suggests limited current exploitation, the high CVSS score and the nature of LFI mean the risk remains significant if the site is not promptly patched.

Generated by OpenCVE AI on April 18, 2026 at 11:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Redy theme to the latest available version released by axiomthemes, which removes the vulnerable include logic.
  • If an immediate upgrade is not possible, modify the theme files to eliminate any user‑controlled parameters in the include/require statements or replace them with a guarded whitelist that validates the filename before inclusion.
  • As a temporary brake, block direct web access to the theme's PHP files and directories by adding an .htaccess rule that denies all external requests to the theme folder, reducing the attack surface until a patch can be applied.

Generated by OpenCVE AI on April 18, 2026 at 11:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes redy
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes redy
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.
Title WordPress Redy theme <= 1.0.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Redy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:38.487Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22368

cve-icon Vulnrichment

Updated: 2026-02-20T19:30:03.552Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:35.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:45:44Z

Weaknesses