Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Don Peppe donpeppe allows PHP Local File Inclusion.This issue affects Don Peppe: from n/a through <= 1.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling arbitrary code execution or sensitive data exposure
Action: Apply Update
AI Analysis

Impact

The Don Peppe WordPress theme contains an improper control of filename in a PHP include/require statement, allowing an attacker to supply a crafted filename. This local file inclusion flaw can enable reading of arbitrary files on the server, and if a relevant file is included and executed, it may lead to execution of arbitrary PHP code. The vulnerability’s high CVSS score reflects the severity of the potential impact, which includes loss of confidentiality, integrity, and availability of the web application.

Affected Systems

All releases of the Don Peppe theme up to and including version 1.3 are affected. This includes any WordPress site that has installed the theme at or below that version.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests that exploitation is currently considered low probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the web application, where an attacker can manipulate query parameters or input that controls the include path. Successful exploitation requires no special privileges beyond a web request; if the attacker gains the ability to trigger the vulnerable include, the local file can be read or executed remotely.

Generated by OpenCVE AI on April 16, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Don Peppe theme to a release newer than version 1.3 or apply the vendor’s patch if available.
  • If an immediate upgrade is not possible, disable or remove the dynamic include feature that relies on user‑controlled input and restrict the include path to a safe, white‑listed directory.
  • Audit web server configuration to ensure that PHP files cannot be inadvertently served from sensitive directories, and monitor access logs for anomalous include attempts.

Generated by OpenCVE AI on April 16, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes don Peppe
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes don Peppe
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Don Peppe donpeppe allows PHP Local File Inclusion.This issue affects Don Peppe: from n/a through <= 1.3.
Title WordPress Don Peppe theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Don Peppe
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:52.109Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22449

cve-icon Vulnrichment

Updated: 2026-03-10T15:39:43.246Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:19.190

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22449

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses