Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgré malgre allows PHP Local File Inclusion.This issue affects Malgré: from n/a through <= 1.0.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that may lead to unauthorized file disclosure or remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of the filename used in a PHP include or require statement. An attacker can manipulate the include path and force the WordPress theme to load local files. This allows the attacker to read sensitive files, such as configuration files, and in some cases execute arbitrary PHP code if the attacker can write to included files or includes a PHP file that executes code. The weakness is categorized as CWE‑98, a classic local file inclusion flaw.

Affected Systems

Mikado‑Themes Malgre WordPress theme versions up to and including 1.0.3 are impacted. Versions before 1.0.3 are also affected as the issue exists throughout the series up to the stated maximum release. The specific product is the Malgre theme for WordPress.

Risk and Exploitability

The CVSS base score is 8.1, indicating high severity. The EPSS score is reported as less than 1 %, suggesting that, at the time of analysis, the likelihood of exploitation is very low but not zero. The vulnerability is not currently featured in the CISA KEV catalog. Exploitation requires an attacker to send a crafted HTTP request that triggers the theme’s unsanitized include logic; no physical access or privileged credentials are needed. Given the low EPSS, passive monitoring may delay detection, but the high CVSS means that a successful exploitation would lead to significant impact.

Generated by OpenCVE AI on April 16, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Malgre theme to the latest version or apply the vendor’s security patch.
  • If an update is not yet available, disable the theme immediately and switch to a trusted alternative WordPress theme.
  • Restrict file permissions on the WordPress installation so that the web server cannot read sensitive configuration files outside the theme directory.

Generated by OpenCVE AI on April 16, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes malgré
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes malgré
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgré malgre allows PHP Local File Inclusion.This issue affects Malgré: from n/a through <= 1.0.3.
Title WordPress Malgré theme <= 1.0.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Malgré
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:45.886Z

Reserved: 2026-01-07T12:21:56.450Z

Link: CVE-2026-22413

cve-icon Vulnrichment

Updated: 2026-03-09T16:50:53.910Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:15.033

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22413

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses