Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hoverex hoverex allows PHP Local File Inclusion.This issue affects Hoverex: from n/a through <= 1.5.10.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that could enable arbitrary code execution or sensitive data exposure
Action: Patch
AI Analysis

Impact

The Hoverex WordPress theme uses an unsanitized filename in a PHP include/require call, a classic CWE‑98 flaw. An attacker can influence the value passed to the include/require routine. Successful exploitation can read any file that the web server’s process can access or inject PHP code, leading to code execution, data disclosure and a full compromise of confidentiality, integrity, and availability.

Affected Systems

The flaw affects any WordPress site running the ThemeREX Hoverex theme version 1.5.10 or earlier. No later versions are reported as impacted in the advisory.

Risk and Exploitability

The base CVSS score is 8.1, classifying the vulnerability as high severity. The EPSS probability is less than 1 %, indicating a very low likelihood of exploitation in the current landscape, and it is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, is manipulation of a request parameter that is forwarded directly to the vulnerable include/require call—e.g., a crafted URL that feeds a path into the PHP routine. Because no mitigations are described in the advisory, exploitation requires only that the attacker can craft such a request and that the web server user has permission to read the targeted file or execute injected code.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Hoverex theme to the latest release once a patch is available; if no fix exists yet, disable or uninstall the theme to prevent the vulnerability from being reachable.
  • Remove or rewrite any code paths that use user‑supplied values in include/require statements, ensuring they are no longer present in the code base.
  • Restrict file permissions on the theme directory so that the web server can only read non‑executable files and cannot write new data, reducing the impact of any remaining LFI paths.
  • Validate all user input that is used in include/require calls to confirm it matches an approved list of safe files or paths.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex hoverex
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex hoverex
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hoverex hoverex allows PHP Local File Inclusion.This issue affects Hoverex: from n/a through <= 1.5.10.
Title WordPress Hoverex theme <= 1.5.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Hoverex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:53.147Z

Reserved: 2026-01-07T13:43:49.724Z

Link: CVE-2026-22452

cve-icon Vulnrichment

Updated: 2026-03-10T15:41:41.868Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:19.447

Modified: 2026-03-10T18:18:11.007

Link: CVE-2026-22452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses