Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

Based on the description, it is inferred that the vulnerability originates from an improper control of the filename used in PHP include/require statements. Attackers can manipulate user‑supplied input to cause the theme to include arbitrary files from the local filesystem. This lack of validation can allow an attacker to read sensitive files or execute malicious code if PHP files are included, potentially compromising confidentiality, integrity, and the overall system.

Affected Systems

The Issue theme from fuelthemes is vulnerable in all releases up to and including version 1.6.11. WordPress sites that have this theme activated are at risk; no specific WordPress core versions are implicated, so any WordPress installation using The Issue theme <= 1.6.11 is considered affected.

Risk and Exploitability

Based on the description, it is inferred that attackers could target the theme via crafted web requests or through authenticated users with file upload capabilities to trigger local file inclusion. The CVSS base score of 8.1 indicates a high‑severity issue, yet the EPSS score is less than 1%, indicating a very low likelihood of exploitation in the wild at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Successful exploitation could lead to disclosure of sensitive data or execution of arbitrary code if the server permits PHP execution in the targeted files.

Generated by OpenCVE AI on April 16, 2026 at 05:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update The Issue theme to version 1.6.12 or later where the LFI flaw is addressed.
  • Remove or sanitize any query parameters that influence file inclusion in theme code, ensuring the include path is restricted to the theme directory.
  • Configure the web server to disallow PHP execution in upload or temporary directories and enforce read‑only permissions for critical files to prevent unintended inclusion.

Generated by OpenCVE AI on April 16, 2026 at 05:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Fuelthemes
Fuelthemes the Issue
Wordpress
Wordpress wordpress
Vendors & Products Fuelthemes
Fuelthemes the Issue
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes The Issue theissue allows PHP Local File Inclusion.This issue affects The Issue: from n/a through <= 1.6.11.
Title WordPress The Issue theme <= 1.6.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Fuelthemes The Issue
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:04.286Z

Reserved: 2026-01-16T14:15:17.504Z

Link: CVE-2026-23801

cve-icon Vulnrichment

Updated: 2026-03-09T14:03:54.295Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:22.630

Modified: 2026-03-09T14:16:08.210

Link: CVE-2026-23801

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:30:25Z

Weaknesses