Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an improper control of filenames for PHP include/require statements in the WordPress ProLingua theme, classified as a Local File Inclusion flaw. An attacker could supply a crafted input that causes the theme to include arbitrary local files, potentially leading to disclosure of sensitive configuration data or execution of malicious PHP code. The weakness aligns with CWE‑98: Improper Control of Filename for Include/Require Statement.

Affected Systems

The issue affects ThemeREX ProLingua, a WordPress theme, across all releases up to and including version 1.1.12. Users running any of these versions are at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS rating of less than 1 % suggests low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely occur remotely through web requests containing manipulated parameters that influence the include path, though specific attack vectors are not explicitly detailed in the advisory.

Generated by OpenCVE AI on March 26, 2026 at 20:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ProLingua theme to a version newer than 1.1.12. If an update is unavailable, either remove or disable the theme until a patch is released.

Generated by OpenCVE AI on March 26, 2026 at 20:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex prolingua
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex prolingua
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12.
Title WordPress ProLingua theme <= 1.1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Prolingua
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:41.483Z

Reserved: 2026-01-07T13:44:30.743Z

Link: CVE-2026-22504

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:20.539Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:32.470

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:45Z

Weaknesses