Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework handmade-framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through <= 3.9.
Published: 2026-01-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement in the WordPress Handmade Framework plugin. This flaw permits local file inclusion, classified as CWE-98, and could allow an attacker to read arbitrary files or execute code on the server, potentially compromising confidentiality, integrity, and availability of the WordPress site.

Affected Systems

WordPress sites using the G5Theme Handmade Framework plugin, versions up to and including 3.9 are affected. No other vendors or product versions are listed as impacted.

Risk and Exploitability

This weakness can be exploited by supplying a crafted request that causes the plugin to include a file from the server file system. The EPSS score is below 1%, indicating a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. However, if exploited, local file inclusion can lead to arbitrary code execution or disclosure of sensitive files. The attack vector is likely through a URL parameter or form input that the plugin’s include routine processes. The absence of a CVSS score in the data suggests the severity level is not formally defined, but the potential impact warrants attention.

Generated by OpenCVE AI on April 18, 2026 at 16:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Handmade Framework to the latest available version or apply any vendor‑released patch for versions 3.9 and earlier.
  • If a patch is unavailable, modify the plugin’s include/require logic to use only a static, whitelisted path or remove the vulnerable code path entirely.
  • Implement a web application firewall rule that blocks requests containing patterns such as "../" or other indicators of directory traversal in URL parameters.

Generated by OpenCVE AI on April 18, 2026 at 16:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework handmade-framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through <= 3.9.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.
Title WordPress Handmade Framework plugin <= 3.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:03.844Z

Reserved: 2026-01-07T13:44:43.226Z

Link: CVE-2026-22521

cve-icon Vulnrichment

Updated: 2026-01-08T20:11:15.723Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T17:15:52.100

Modified: 2026-04-23T15:36:38.200

Link: CVE-2026-22521

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:45:05Z

Weaknesses