Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Justicia justicia allows PHP Local File Inclusion.This issue affects Justicia: from n/a through <= 1.2.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion allowing disclosure and potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

Improper control of filename for Include/Require Statement in PHP allows user‑controlled file paths to be processed in the Mikado‑Themes Justicia theme. An attacker that can supply an arbitrary include path could read local files or upload a malicious PHP script and include it, effectively executing arbitrary code on the site. The weakness is classified as CWE‑98.

Affected Systems

The affected product is the WordPress theme "Justicia" from the vendor Mikado‑Themes. All releases from the first version up through 1.2 contain the vulnerable code, and no fixed version is currently cited, indicating that any installation running 1.2 or earlier remains exposed.

Risk and Exploitability

The vulnerability has a high CVSS score of 8.1, yet its EPSS score is below 1%, suggesting few observed exploit attempts. It is not listed in the CISA KEV catalog. The attack likely requires a crafted input to the theme’s include logic, which may be a publicly accessible parameter. Because the flaw allows file inclusion without validation, exploitation could lead to reading sensitive files or arbitrary code execution, although the low EPSS indicates current exploitation risk is modest.

Generated by OpenCVE AI on April 16, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading the Justicia theme to a version later than 1.2.
  • If an update cannot be applied, deactivate or delete the theme to remove the vulnerable code path.
  • As a temporary measure, configure WordPress to block unfiltered file inclusion and sanitize any user‑supplied file paths used by the theme.

Generated by OpenCVE AI on April 16, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes justicia
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes justicia
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Justicia justicia allows PHP Local File Inclusion.This issue affects Justicia: from n/a through <= 1.2.
Title WordPress Justicia theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Justicia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:44.935Z

Reserved: 2026-01-07T12:21:56.449Z

Link: CVE-2026-22408

cve-icon Vulnrichment

Updated: 2026-03-10T14:26:33.824Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:14.620

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses