Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The Lella WordPress theme contains improper control of filenames used in PHP include and require statements, which can lead to a Local File Inclusion flaw. An attacker can cause the theme to read arbitrary files from the server, and if the included file contains PHP code, it may execute that code in the context of the site. This defect aligns with CWE‑98 and can compromise the confidentiality of server files, potentially enabling further code execution.

Affected Systems

Any WordPress installation that uses the Elated‑Themes Lella theme version 1.2 or earlier is affected. The issue exists from the initial release through all updates that do not exceed 1.2 and applies to sites where the theme is active or its files are accessible.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, and the EPSS score of less than 1 % suggests a low probability of exploitation in the wild. Based on the description, it is inferred that an unauthenticated attacker could trigger the inclusion of arbitrary local files via a crafted URL or form parameter. The flaw is not listed in the CISA KEV catalog, and no special privileges beyond the presence of the vulnerable theme are required. If the attacker can force the inclusion of a PHP file, privilege escalation within WordPress could be achieved.

Generated by OpenCVE AI on March 26, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lella theme to any version newer than 1.2.
  • If an upgrade is not feasible, deactivate or delete the Lella theme from the WordPress installation.
  • Verify that no unexpected or malicious files appear in the theme’s directory and monitor server logs for suspicious activity.

Generated by OpenCVE AI on March 26, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes lella
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes lella
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Lella lella allows PHP Local File Inclusion.This issue affects Lella: from n/a through <= 1.2.
Title WordPress Lella theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Lella
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:41.862Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22499

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:28.568Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:31.917

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22499

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:49Z

Weaknesses