Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through <= 1.3.0.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Update Theme
AI Analysis

Impact

Improper control of filenames in the include/require statements of Axiomthemes Marveland allows attackers to read or execute files from the local file system. The vulnerability arises because the theme does not validate or constrain the path supplied to PHP's include/require functions, enabling arbitrary file access. If an attacker can supply a crafted path, they may read sensitive files such as configuration, or, if the included file contains executable code, trigger remote code execution on the server.

Affected Systems

Axiomthemes Marveland theme, versions n/a through 1.3.0, is affected. Any installation running these versions is vulnerable until a patch or upgrade removes the insecure include logic.

Risk and Exploitability

The CVSS v3 score of 8.1 highlights a high severity risk, and the EPSS score of less than 1 percent indicates that exploitation is currently rare, yet not impossible. The vulnerability is not cataloged in CISA's KEV list, suggesting no widely known exploits yet. The likely attack vector is through a web request that supplies a value used by the theme as a filename, allowing remote attackers to influence the include path. Successful exploitation would grant the attacker read access to arbitrary files on the server, and potentially the ability to execute malicious code if a PHP file can be placed on the filesystem.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Marveland theme to a version newer than 1.3.0.
  • If upgrading is not possible, remove or comment out the code that uses an unvalidated filename in require/include, ensuring only whitelisted files can be included.
  • Restrict the PHP include path to the theme directory and deny access to sensitive system files through server configuration.

Generated by OpenCVE AI on April 16, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes marveland
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes marveland
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through <= 1.3.0.
Title WordPress Marveland theme <= 1.3.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Marveland
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:38.786Z

Reserved: 2026-01-07T12:21:29.302Z

Link: CVE-2026-22370

cve-icon Vulnrichment

Updated: 2026-02-20T19:25:13.756Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:36.260

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses