CVE-2026-22503 - Vulnerability Details

- WordPress Nelson theme <= 1.2.0 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0.

Published: 2026-03-25

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ThemeREX Nelson 1.2.0 and earlier contain an improper control of the filename used in PHP include/require statements. This weakens the application to arbitrary file inclusion via the PHP interpreter. An attacker can supply a path that resolves to local files on the server and read sensitive data or, if a writable file is exposed, upload and execute arbitrary PHP code. The weakness corresponds to CWE‑98 “Improper Control of Filename”. The resulting impact is the potential compromise of confidentiality, integrity, and availability of the WordPress site.

Affected Systems

The vulnerability affects WordPress installations that use the ThemeREX Nelson theme up to and including version 1.2.0. Any site running these versions can be impacted; no other PHP frameworks or themes are formally listed.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is classified as high severity. The EPSS score of less than 1% indicates a low probability that it is actively exploited in the wild, and it is not listed in CISA’s Known Exploited Vulnerabilities catalog. Nevertheless, the attack vector is likely remote and can be performed by providing a crafted URL or input parameter that influences the include/require path. Due to this remote nature, the vulnerability poses a significant risk for organizations with exposed WordPress sites that have not applied the latest theme updates.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ThemeREX

Nelson

unaffected

Version	Status	Constraints
`n/a`	affected	≤ <= 1.2.0

No data.

Vendor Product Confidence Versions

Themerex

Nelson

100%

Version	Status	Scheme	Platform
`[0,1.2.0]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade ThemeREX Nelson to the latest available version that addresses the filename control issue.
Verify the upgrade by testing that the vulnerable inclusion endpoint no longer processes arbitrary paths.
If an upgrade is not immediately possible, configure the web server or application firewall to reject or sanitize paths used in include/require calls, limiting them to whitelisted directories.
Restrict file permissions on the WordPress installation to prevent writable PHP files in directories that may be included by the theme.
Monitor web application logs for attempts to access files outside the intended directories or for abnormal include requests.

Generated by OpenCVE AI on March 26, 2026 at 20:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00151.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/nelson/vulnerability/wordpress-nelson-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themerex Themerex nelson Wordpress Wordpress wordpress
Vendors & Products		Themerex Themerex nelson Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0.
Title		WordPress Nelson theme <= 1.2.0 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/nelson/vulnerability/wordpress-nelson-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Themerex Nelson

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:24.784Z

Updated: 2026-03-26T18:31:41.613Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22503

Vulnrichment

Updated: 2026-03-26T18:26:23.115Z

NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:32.333

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22503

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-27T09:46:46Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object