Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion.This issue affects Triply: from n/a through <= 2.4.7.
Published: 2026-01-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The Triply theme for WordPress contains an improper control of filename for include/require statements, allowing a local file inclusion (LFI) vulnerability. An attacker could craft a request that causes the PHP code to include a user‑supplied file path, potentially reading sensitive files or executing PHP code that resides on the server. This flaw is rooted in CWE‑98 and can result in information disclosure and, in some instances, execution of code that was uploaded to the site.

Affected Systems

Any WordPress site running pavothemes Triply version 2.4.7 or earlier is affected. The vulnerability applies to all releases from the earliest version through 2.4.7 inclusive, while installations that have upgraded beyond 2.4.7 are not impacted by this specific flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1 % suggests that exploitation is currently unlikely but still possible. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a web request that manipulates an inclusion path in the PHP code. An attacker with network access to the web server or the ability to influence user‑controlled parameters could exploit this flaw by appending a path traversal sequence to a query parameter the theme uses to include files. No additional preconditions beyond normal web access are required.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Triply theme to version 2.4.8 or later to eliminate the LFI flaw
  • Configure the PHP environment to disallow untrusted includes by setting allow_url_fopen to Off and restricting open_basedir to a secure directory
  • Sanitize or validate any user input that may influence include paths in the theme’s PHP code, removing directory traversal characters and ensuring only legitimate files are included.

Generated by OpenCVE AI on April 18, 2026 at 03:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion.This issue affects Triply: from n/a through <= 2.4.7.
Title WordPress Triply theme <= 2.4.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:43.953Z

Reserved: 2026-01-07T12:21:46.518Z

Link: CVE-2026-22402

cve-icon Vulnrichment

Updated: 2026-01-27T17:46:00.469Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:33.433

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-22402

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:45:21Z

Weaknesses