Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.5.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

This vulnerability is an improper control of filename in a PHP include/require statement that allows local file inclusion. It can enable an attacker to read arbitrary files from the server, potentially exposing sensitive configuration, authentication credentials, or other confidential data. The weakness is identified as CWE‑98. While the description does not explicitly mention code execution, LFI can often be leveraged for Remote File Inclusion if the server allows fetching remote files, thereby risking further compromise. The CVSS score of 8.1 indicates a high severity impact.

Affected Systems

The Mikado Themes Wanderland WordPress theme is affected for all releases up to and including version 1.5. Any site using these versions is susceptible, regardless of other WordPress versions or plugins. No other products or vendors are listed as impacted.

Risk and Exploitability

The CVSS rating classifies the issue as high severity. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local file inclusion through a crafted request that manipulates a file path used by the theme during a PHP include operation. Exploitation requires either an exposed vulnerable endpoint or an ability to influence the file path parameter used by the theme.

Generated by OpenCVE AI on April 16, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wanderland theme to a version newer than 1.5; newer releases contain the fix for the local file inclusion issue.
  • If an upgrade is not possible, remove or disable the part of the theme that performs the unsanitized include, such as disabling the specific template or page that triggers the vulnerable file inclusion.
  • Implement input validation or a web‑application firewall rule that blocks directory traversal patterns (e.g., ‘..’) and restricts file path inputs to an allowed list of safe files.

Generated by OpenCVE AI on April 16, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes wanderland
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes wanderland
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wanderland wanderland allows PHP Local File Inclusion.This issue affects Wanderland: from n/a through <= 1.5.
Title WordPress Wanderland theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Wanderland
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:54.865Z

Reserved: 2026-01-07T13:43:59.552Z

Link: CVE-2026-22457

cve-icon Vulnrichment

Updated: 2026-03-09T15:58:02.948Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:20.110

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-22457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses