Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Holmes holmes allows PHP Local File Inclusion.This issue affects Holmes: from n/a through <= 1.7.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

Improper control of the filename for include/require statements in the Holmes theme allows an attacker to trigger a local file inclusion vulnerability. An attacker could read arbitrary files on the server or, if the server permits it, execute PHP code, potentially leading to full compromise of the site.

Affected Systems

WordPress installations that use the Mikado-Themes Holmes theme, versions up to and including 1.7. Any site that has not updated beyond 1.7 is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of < 1% reflects a low but non‑zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves exploitation of a local file inclusion point, which may be triggered by a crafted request or a logged‑in user with access to the affected theme’s include mechanisms. Successful exploitation could lead to a breach of confidentiality, integrity, or availability of the WordPress site.

Generated by OpenCVE AI on April 16, 2026 at 12:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Holmes theme to a version newer than 1.7.
  • If a patch update is unavailable, restrict direct access to the theme’s PHP files using web server configuration or a firewall rule to prevent arbitrary inclusion.
  • Deploy a web application firewall rule that blocks requests containing suspicious include patterns such as "../../" or encoded characters.

Generated by OpenCVE AI on April 16, 2026 at 12:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes holmes
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes holmes
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Holmes holmes allows PHP Local File Inclusion.This issue affects Holmes: from n/a through <= 1.7.
Title WordPress Holmes theme <= 1.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Holmes
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:43.442Z

Reserved: 2026-01-07T12:21:46.517Z

Link: CVE-2026-22399

cve-icon Vulnrichment

Updated: 2026-03-09T16:56:22.232Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:14.213

Modified: 2026-03-09T18:16:17.957

Link: CVE-2026-22399

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:00:11Z

Weaknesses