Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes FindAll findall allows PHP Local File Inclusion.This issue affects FindAll: from n/a through <= 1.4.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The flaw stems from insufficient validation of filenames used in PHP include or require statements within the Elated‑Themes FindAll theme. An attacker who can manipulate the filename parameter may trigger the inclusion of arbitrary local files on the web server. This can expose sensitive configuration, credential, or code files. While the vulnerability is classified as a local file inclusion, it could potentially lead to arbitrary PHP code execution if a writable file containing malicious code is included. The weakness is identified as CWE‑98.

Affected Systems

All releases of the Elated‑Themes FindAll WordPress theme up to and including version 1.4 are affected. No other vendors or product lines are listed in the CVE data.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation attempts were rare at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred to be a web request that manipulates the filename used in the theme’s include logic, because the description references PHP include/require statements. An attacker would need to supply a crafted request that causes the theme to include a local file, which could reveal sensitive data or, if a malicious file is included, lead to remote code execution. The low EPSS probability does not negate the severity of the potential impact.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FindAll theme to version 1.5 or later to apply the vendor‑provided fix.
  • If upgrading is not immediately feasible, remove the FindAll theme from the site or disable any files that contain the vulnerable include logic.
  • Ensure the PHP configuration option "allow_url_include" is set to Off to mitigate remote file inclusion attempts and reduce the attack surface.

Generated by OpenCVE AI on April 17, 2026 at 12:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Elated Themes
Elated Themes findall
Wordpress
Wordpress wordpress
Vendors & Products Elated Themes
Elated Themes findall
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes FindAll findall allows PHP Local File Inclusion.This issue affects FindAll: from n/a through <= 1.4.
Title WordPress FindAll theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated Themes Findall
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:13:59.534Z

Reserved: 2026-01-07T13:44:16.751Z

Link: CVE-2026-22478

cve-icon Vulnrichment

Updated: 2026-03-10T13:49:29.482Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:21.563

Modified: 2026-03-10T18:18:12.073

Link: CVE-2026-22478

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses