Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion allowing arbitrary file inclusion
Action: Apply Patch
AI Analysis

Impact

The Amoli WordPress theme contains an improper control of the filename used in a PHP include or require statement. This flaw enables an attacker to include any local file on the server. If the included file contains executable PHP code, the attacker may run arbitrary code, compromising the confidentiality, integrity, and availability of the site.

Affected Systems

The vulnerability affects the Amoli theme by Elated-Themes. Every release of the theme up to and including version 1.0 is susceptible. No later versions are affected as the issue was fixed after 1.0.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high-severity flaw. The EPSS score is below 1%, indicating a low but present likelihood of exploitation. It is not listed in CISA's KEV catalog. The likely attack vector is a web request that supplies a URL parameter or form input leading to the vulnerable include. Based on the description, it is inferred that remote code execution is possible if the attacker supplies a malicious PHP file for inclusion, though this requires the attacker to control the file contents.

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Amoli theme to any release newer than 1.0.
  • If an upgrade is not feasible now, edit the theme’s code to remove or neutralize the vulnerable include/require call, ensuring only trusted files can be included.
  • Limit the include path to a secure directory and validate filenames against a whitelist.
  • Reduce file permissions on the web root to disallow execution of arbitrary files.
  • Add a .htaccess rule to deny PHP execution of local files in the theme directory.
  • Deploy a web application firewall or adjust security plugins to detect and block local file inclusion attempts.
  • Monitor web server and application logs for unexpected file inclusion activity.

Generated by OpenCVE AI on March 26, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes amoli
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes amoli
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0.
Title WordPress Amoli theme <= 1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Amoli
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:41.369Z

Reserved: 2026-01-07T13:44:36.067Z

Link: CVE-2026-22506

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:18.000Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:32.737

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:43Z

Weaknesses