Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Zentrum zentrum allows PHP Local File Inclusion.This issue affects Zentrum: from n/a through <= 1.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Update Theme
AI Analysis

Impact

The flaw occurs when the Zentrum theme processes a filename provided by a user and passes it directly to a PHP include or require statement without proper validation. This allows an attacker to read arbitrary files on the server or execute code residing on the file system, resulting in potential data disclosure or local code execution. The weakness is catalogued as CWE‑98.

Affected Systems

All releases of the Elated‑Themes Zentrum theme up to and including version 1.0 are affected. No other variants or versions are listed in the available data.

Risk and Exploitability

Because the vulnerability has a CVSS base score of 8.1, it is considered high severity. The EPSS score is reported as < 1 %, indicating a very low likelihood of exploitation at this time. It is not listed in the CISA KEV catalog. The likely attack vector involves an attacker forging a request that supplies a controlled filename to a page that performs the vulnerable include, which requires the attacker to be able to influence a PHP script that accepts such parameters.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zentrum theme to a version newer than 1.0 that contains the file‑inclusion fix.
  • If an immediate upgrade is unavailable, disabling or removing the Zentrum theme will eliminate the vulnerable code path.
  • Implement strict input validation or a whitelist for any future file‑inclusion operations to mitigate CWE‑98 vulnerabilities.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes zentrum
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes zentrum
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Zentrum zentrum allows PHP Local File Inclusion.This issue affects Zentrum: from n/a through <= 1.0.
Title WordPress Zentrum theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Zentrum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:51.143Z

Reserved: 2026-01-07T12:22:12.277Z

Link: CVE-2026-22441

cve-icon Vulnrichment

Updated: 2026-03-10T15:33:34.947Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:18.663

Modified: 2026-03-10T18:18:10.460

Link: CVE-2026-22441

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses