Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through <= 1.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Upgrade Theme
AI Analysis

Impact

The Eona theme contains an error that allows the inclusion of filenames from user input without proper validation. This flaw enables an attacker to read any file that the web process can access, potentially exposing sensitive data or files that may be used later for further compromise. Because the inclusion occurs in PHP code, a malicious file could also be executed, turning the vulnerability into a code‑execution risk under the right conditions.

Affected Systems

Mikado‑Themes’ Eona theme, any release up through version 1.3. No specific sub‑version has been exempted; all files previous to the fix are affected.

Risk and Exploitability

The CVSS score of 8.1 signals a high-severity weakness, while the current EPSS of less than 1% indicates that active exploitation is not widespread at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known, widely‑used exploit. Likely, an attacker must supply a crafted request to the theme that triggers the vulnerable include, exploiting the lack of filename sanitization. The threat is confined to the web server hosting WordPress, but the data exposed or code executed could affect the entire host.

Generated by OpenCVE AI on April 16, 2026 at 05:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Eona theme to a version newer than 1.3, which contains the fixed include logic.
  • Remove or replace any code paths in the theme that accept arbitrary filenames for inclusion, ensuring that only a whitelist of safe files is used.
  • Disable PHP’s allow_url_fopen setting and validate any remaining filenames with strict path checks before inclusion.

Generated by OpenCVE AI on April 16, 2026 at 05:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes eona
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes eona
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through <= 1.3.
Title WordPress Eona theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Eona
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:45.725Z

Reserved: 2026-01-07T12:21:56.449Z

Link: CVE-2026-22412

cve-icon Vulnrichment

Updated: 2026-03-10T14:29:37.532Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:14.897

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22412

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses