Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Helvig helvig allows PHP Local File Inclusion.This issue affects Helvig: from n/a through <= 1.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially leading to code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper control of filenames in the Elated‑Themes Helvig WordPress theme, enabling local file inclusion via PHP include/require statements. This flaw is classified as CWE‑98 and could allow an attacker to read arbitrary files or execute malicious code on the server, thereby compromising the confidentiality, integrity, and availability of the hosted WordPress site.

Affected Systems

WordPress installations that have installed the Helvig theme, versions up to and including 1.0. Any site that has not upgraded past this version is susceptible; versions prior to 1.0 are also affected, although the exact start point is unspecified.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is high severity. EPSS indicates a very low exploitation likelihood (<1%), and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is local file inclusion driven by an attacker who can supply a file path to the theme’s inclusion logic, possibly via crafted URLs or internal requests.

Generated by OpenCVE AI on April 16, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Helvig theme to a version newer than 1.0 if one is available.
  • If an upgrade is not possible, disable the theme or remove the vulnerable include file paths and enforce strict file permission checks.
  • Apply general WordPress hardening measures, such as disabling file editing in the admin UI and ensuring the web server’s file system permissions prevent arbitrary script execution.

Generated by OpenCVE AI on April 16, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes helvig
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes helvig
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Helvig helvig allows PHP Local File Inclusion.This issue affects Helvig: from n/a through <= 1.0.
Title WordPress Helvig theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Helvig
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:50.260Z

Reserved: 2026-01-07T12:22:12.277Z

Link: CVE-2026-22436

cve-icon Vulnrichment

Updated: 2026-03-09T16:25:59.915Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:17.803

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22436

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses