Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The flaw arises from improper control over the filename used in PHP include/require statements, allowing an attacker to direct the application to include arbitrary local files. This Local File Inclusion vulnerability, identified as CWE‑98, could lead to the disclosure of sensitive configuration files, logs, or code, and in some cases to remote code execution if the attacker can supply a malicious file.

Affected Systems

The issue affects WordPress sites that use the Elated‑Themes Roisin theme version 1.2.1 or earlier. Any installation running a vulnerable version of this theme is impacted.

Risk and Exploitability

The CVSS score of 8.1 denotes high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is web requests that supply a crafted filename to the theme’s code; this inference assumes the application accepts user-supplied input for the include path and that the attacker can manipulate it.

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Roisin theme to a version newer than 1.2.1 that removes the insecure inclusion code.
  • If an upgrade is not possible, disable the theme or remove the PHP file responsible for the include operation.
  • Configure file system permissions for the theme directories so that only necessary files are readable by the web server.
  • Monitor web logs for unusual include requests or attempts to read sensitive files to detect exploitation attempts.

Generated by OpenCVE AI on March 26, 2026 at 20:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes roisin
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes roisin
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1.
Title WordPress Roisin theme <= 1.2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Roisin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:40.865Z

Reserved: 2026-01-07T13:44:36.068Z

Link: CVE-2026-22512

cve-icon Vulnrichment

Updated: 2026-03-26T18:26:09.045Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:33.550

Modified: 2026-03-30T13:27:35.820

Link: CVE-2026-22512

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:46:38Z

Weaknesses