Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion.This issue affects Laurent Core: from n/a through <= 2.4.1.
Published: 2026-01-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

Elated‑Themes Laurent Core plugins exhibit a flaw where filenames supplied to PHP include/require statements are not properly validated. The result is a Local File Inclusion vulnerability that permits an attacker to read or execute local files on the web server. This can compromise confidential data or lead to arbitrary code execution, thereby affecting the confidentiality and integrity of the affected system.

Affected Systems

Elated‑Themes Laurent Core plugin is affected in all released versions up to and including 2.4.1. Any WordPress installation that has the Laurent Core plugin <= 2.4.1 is at risk.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% signals a low known exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a Local File Inclusion via the plugin’s include logic, which requires an attacker to insert a crafted request that resolves to a local path (such as a log file or PHP source). No explicit authentication requirement is stated, so the path may be usable by unauthenticated users or users with basic access to the site, but further exploitation to achieve code execution would likely need elevated privileges.

Generated by OpenCVE AI on April 16, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Laurent Core plugin to a version newer than 2.4.1, or apply the official vendor update if available.
  • If an update is not yet available, disable the Laurent Core plugin to eliminate the vulnerable code path.
  • Configure the web server to restrict PHP files in the plugin directory from being included via open_basedir or similar file‑system access controls.
  • Ensure that the WordPress installation runs with the minimal required PHP version and that file permissions on the plugin directory prevent read/execute access by non‑privileged users.

Generated by OpenCVE AI on April 16, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion.This issue affects Laurent Core: from n/a through <= 2.4.1.
Title WordPress Laurent Core plugin <= 2.4.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:25.079Z

Reserved: 2026-01-23T12:32:17.047Z

Link: CVE-2026-24608

cve-icon Vulnrichment

Updated: 2026-01-23T17:09:16.308Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:19.707

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-24608

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T07:30:28Z

Weaknesses