Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

An improper control of the filename used in an include/require statement in the Mixtape theme allows an attacker to supply a crafted filename that bypasses normal path restrictions. The flaw can cause the theme to include arbitrary local files on the server, potentially exposing sensitive data or executing arbitrary PHP code if local scripts are included. This compromise falls under the Local File Inclusion weakness (CWE‑98).

Affected Systems

WordPress sites using the Select‑Themes Mixtape theme are affected. Versions from the initial release through and including 2.1 contain the vulnerability; no later version has been identified as affected. Sites that have upgraded to 2.2 or newer are not impacted.

Risk and Exploitability

The CVSS base score is 8.1, indicating high severity, while the EPSS score is below 1%, suggesting a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. It can be exploited by delivering a specially crafted request that controls the filename argument in the theme’s include logic, typically from a public‑facing page. Successful exploitation permits reading privileged files or executing PHP code, granting attackers significant control over the affected server.

Generated by OpenCVE AI on March 26, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Mixtape to the latest version (≥2.2) to eliminate the LFI flaw.
  • If an update is unavailable, immediately deactivate or delete the Mixtape theme from the site.
  • Add web application firewall or URL filtering rules to block requests that trigger the vulnerable include logic.
  • Review the theme’s code to ensure all include/require statements validate filenames against a whitelist.
  • Monitor server logs for LFI attempts and investigate any suspicious activity.

Generated by OpenCVE AI on March 26, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes mixtape
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes mixtape
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1.
Title WordPress Mixtape theme <= 2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Select-themes Mixtape
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:39.759Z

Reserved: 2026-02-02T12:53:53.793Z

Link: CVE-2026-25457

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:53.133Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:51.877

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-25457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:39Z

Weaknesses