Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An improper filtering of file names in the Laurent WordPress theme allows an attacker to include arbitrary local PHP files via an include/require statement. This local file inclusion flaw, classified as CWE‑98, can permit the reading of sensitive files or the execution of malicious PHP code if a local file that contains executable code is included. The compromised integrity and authenticity of the site could lead to full site takeover, data exposure, and a high‑severity impact.

Affected Systems

The vulnerability impacts the Elated‑Themes Laurent WordPress theme, including all releases from the earliest version through version 3.1. Any site running any of those releases remains susceptible until a newer, unprivileged version is installed.

Risk and Exploitability

The CVSS score of 8.1 indicates a significant threat, while the EPSS score of less than 1% suggests that automated exploitation is unlikely at present. Still, the flaw can be exploited by an attacker who is able to manipulate the include path—most likely by crafting a URL or request that supplies a local file name in place of an expected value. Local file inclusion may eventually allow remote code execution if the attacker can point the path at a PHP file containing malicious code. The vendor’s advisory recommends upgrading or patching, and the issue is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on March 26, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Laurent theme to a version newer than 3.1 or apply the vendor‑provided patch if available
  • Ensure the theme’s files are not directly accessible via the web and set proper file permissions
  • Remove or restrict any user‑controlled file‑include parameters in the theme’s code
  • Deploy a web application firewall rule to block suspicious file‑inclusion patterns
  • Monitor server logs for abnormal file‑include activity and remediate promptly

Generated by OpenCVE AI on March 26, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes laurent
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes laurent
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through <= 3.1.
Title WordPress Laurent theme <= 3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Laurent
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:42.001Z

Reserved: 2026-01-07T13:44:30.742Z

Link: CVE-2026-22498

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:30.867Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:31.783

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22498

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:49Z

Weaknesses