Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affects NeoBeat: from n/a through <= 1.2.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially leading to information disclosure or code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in a PHP include/require statement within the NeoBeat theme. Because the filename originates from user input, an attacker can force the theme to include arbitrary files from the server’s file system, exposing sensitive configuration files or enabling the execution of malicious scripts. This local file inclusion can compromise confidentiality and, if combined with other weaknesses, may allow remote code execution.

Affected Systems

Elated‑Themes NeoBeat WordPress theme, versions up to and including 1.2, installed on any WordPress site that uses this theme.

Risk and Exploitability

The CVSS score of 8.1 indicates significant severity, while the EPSS score of less than 1% shows that exploitation in the wild is currently unlikely. The vulnerability is not listed in CISA’s KEV catalog. Exploitation can be carried out remotely by manipulating HTTP requests that trigger the vulnerable include/require logic, so a remote attacker only needs network access to the WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NeoBeat to version 1.3 or later, ensuring the vulnerable include logic is removed.
  • If an upgrade is not immediately possible, restrict web access to the NeoBeat theme directory or change file permissions so that the web server cannot read sensitive files.
  • Review and apply any official patches or updates from Elated‑Themes as soon as they become available.

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes neobeat
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes neobeat
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes NeoBeat neobeat allows PHP Local File Inclusion.This issue affects NeoBeat: from n/a through <= 1.2.
Title WordPress NeoBeat theme <= 1.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Neobeat
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:40.989Z

Reserved: 2026-01-07T13:44:36.068Z

Link: CVE-2026-22511

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:11.320Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:33.410

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:38Z

Weaknesses