Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Netmix netmix allows PHP Local File Inclusion.This issue affects Netmix: from n/a through <= 1.0.10.
Published: 2026-02-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from an improper control of filename in a PHP include/require statement within the AncoraThemes Netmix WordPress theme. This flaw allows a local file inclusion attack, where an attacker can supply a file path that the application will read and possibly execute. The impact is the potential execution of arbitrary code on the server, with a CVSS score of 8.1 indicating high severity.

Affected Systems

Affected systems are installations of the AncoraThemes Netmix WordPress theme with versions 1.0.10 or earlier. The vulnerability is present in all releases from the initial version up to and including 1.0.10.

Risk and Exploitability

Risk assessment shows a high severity CVSS score but a low EPSS score of less than 1%, and the vulnerability is not currently listed in the CISA Know Exploited Vulnerabilities catalog. The attack vector is inferred to be local file inclusion, likely triggered by a user-supplied parameter that is propagated to an include/require call without proper validation. The exploitation would require access to a path that the web server can read, such as /etc/passwd, but the feasibility depends on server configuration.

Generated by OpenCVE AI on April 16, 2026 at 06:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Netmix theme to a version newer than 1.0.10, preferably the latest release from AncoraThemes, which contains the fix for the local file inclusion flaw.
  • Temporarily block user-controlled input that is used in include/require statements by editing theme files or configuring the server to reject such values, ensuring no arbitrary file paths are passed to the PHP include function.
  • Verify that the inclusion vector has been closed by attempting to trigger the flaw with a test input (for example, requesting the parameter with a path to /etc/passwd) and confirming that the server does not return the local file content or execute it.

Generated by OpenCVE AI on April 16, 2026 at 06:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes netmix
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes netmix
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Netmix netmix allows PHP Local File Inclusion.This issue affects Netmix: from n/a through <= 1.0.10.
Title WordPress Netmix theme <= 1.0.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Netmix
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:40.276Z

Reserved: 2026-01-07T12:21:36.721Z

Link: CVE-2026-22379

cve-icon Vulnrichment

Updated: 2026-02-24T20:21:58.563Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:37.430

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:15:26Z

Weaknesses