Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that can lead to remote code execution
Action: Patch Theme
AI Analysis

Impact

The vulnerability stems from improper control of the filename used in PHP include/require statements, allowing an attacker to influence the path and trigger a local file inclusion. If successful, this flaw could enable the disclosure of sensitive files or execution of arbitrary code, potentially compromising the entire WordPress site or allowing privilege escalation. The weakness is classified as CWE‑98.

Affected Systems

Elated‑Themes Etchy theme versions up to and including 1.0 are affected. No higher versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity for this vulnerability. The EPSS score of less than 1% suggests a low current probability of exploitation, and the issue is not listed in the CISA KEV catalogue. The likely attack vector is inferred to be web-based, where an attacker crafts a request that manipulates the file path used by the theme for internal includes. Successful exploitation would require access to the theme’s configuration or overrideable parameters, but the potential impact is significant due to the possibility of executing attacker-supplied code.

Generated by OpenCVE AI on April 16, 2026 at 05:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Etchy theme to a version newer than 1.0 or apply the vendor’s patch if available
  • If an upgrade is not immediately possible, disable the Etchy theme and switch to a default or alternate theme until the issue is resolved
  • Inspect and tighten any theme options or configuration that allow file inclusion from user-controlled inputs, ensuring they are secured against path traversal or arbitrary file access
  • Deploy a web application firewall rule to block suspicious requests that attempt to reference local file paths

Generated by OpenCVE AI on April 16, 2026 at 05:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes etchy
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes etchy
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.
Title WordPress Etchy theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Etchy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:59.187Z

Reserved: 2026-01-07T13:44:16.750Z

Link: CVE-2026-22476

cve-icon Vulnrichment

Updated: 2026-03-10T13:51:59.383Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:21.297

Modified: 2026-03-10T18:18:11.897

Link: CVE-2026-22476

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses