Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 1.8.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The SetSail theme for WordPress contains an improper control of filename for include/require statements. The flaw allows an attacker to specify arbitrary local file paths, which can result in reading sensitive files or executing code that appears within the application. The weakness is identified as CWE‑98 and can lead to disclosure of confidential data or remote code execution if an attacker can place malicious content in a file that the theme will include.

Affected Systems

WordPress users who have installed the SetSail theme version 1.8 or earlier are affected. This includes any site using SetSail n/a through 1.8.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% shows a low probability of exploitation at this time and the vulnerability is not listed in CISA’s KEV catalog. The issue is typically exploitable via the website’s front‑end or through user input that influences the include path; the specific attack vector is inferred because the description does not disclose it directly.

Generated by OpenCVE AI on April 16, 2026 at 05:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the SetSail theme to a version newer than 1.8.
  • If an update is unavailable, remove or rename the files that perform the include/require calls, or set appropriate file permissions to prevent access.
  • Implement server‑side input validation to stop arbitrary file paths from being passed to include/require functions.

Generated by OpenCVE AI on April 16, 2026 at 05:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes setsail
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes setsail
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 1.8.
Title WordPress SetSail theme <= 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Setsail
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:47.500Z

Reserved: 2026-01-07T12:22:01.195Z

Link: CVE-2026-22423

cve-icon Vulnrichment

Updated: 2026-03-10T14:49:16.897Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:16.290

Modified: 2026-03-10T18:18:08.980

Link: CVE-2026-22423

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:45:26Z

Weaknesses