Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cortex cortex allows PHP Local File Inclusion.This issue affects Cortex: from n/a through <= 1.5.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential RCE)
Action: Patch Now
AI Analysis

Impact

The Cortex theme contains a PHP include/require statement that accepts a filename parameter directly from user input without proper validation. This lack of input sanitization allows a remote attacker to craft requests that cause the server to include arbitrary local files. The resulting local file inclusion can be used to read sensitive configuration files, database credentials, or user uploads, and, if the included file contains executable PHP code, may lead to remote code execution. The weakness is classified as CWE-98.

Affected Systems

The vulnerability affects the Mikado‑Themes Cortex WordPress theme for all releases up to and including version 1.5. Any website using Cortex 1.5 or earlier is at risk unless the theme is upgraded. No other WordPress components are known to be affected.

Risk and Exploitability

The CVSS score of 8.1 categorizes this flaw as high severity. Although current evidence indicates a low exploitation likelihood, the attack does not require privileged local access; an attacker can trigger it by sending a crafted HTTP request to a public endpoint that forwards the filename to the include/require call. The impact can range from information disclosure to full command execution if the server permits executing PHP from the included file.

Generated by OpenCVE AI on April 16, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Cortex theme to the latest version (any release newer than 1.5).
  • Ensure that any include/require function in the theme validates file paths and does not use unsanitized user input.
  • Restrict the PHP process and file system permissions so that only necessary files are accessible, limiting the potential impact of a successful inclusion.

Generated by OpenCVE AI on April 16, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes cortex
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes cortex
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cortex cortex allows PHP Local File Inclusion.This issue affects Cortex: from n/a through <= 1.5.
Title WordPress Cortex theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Cortex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:42.289Z

Reserved: 2026-01-07T12:21:40.879Z

Link: CVE-2026-22392

cve-icon Vulnrichment

Updated: 2026-03-09T17:01:36.526Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:13.663

Modified: 2026-03-09T18:16:17.590

Link: CVE-2026-22392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses