Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.This issue affects The Aisle Core: from n/a through <= 2.0.5.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (Potential RCE)
Action: Immediate Patch
AI Analysis

Impact

The Aisle Core plugin contains an improper control of filenames used in PHP include/require statements, which permits local file inclusion. This error allows an attacker to read arbitrary files on the server; if the included file contains malicious code, the attacker could achieve remote code execution or exfiltrate sensitive data, compromising confidentiality, integrity, and availability.

Affected Systems

Any WordPress site that has installed Elated-Themes The Aisle Core plugin version 2.0.5 or earlier is affected. No other vendors or products are indicated in the records.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, while the EPSS score of less than 1 percent indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, suggesting no widespread exploitation reports. The likely attack vector is a remote request that supplies a crafted file path to the plugin’s inclusion point; the description does not specify the exact parameter but infers that manipulating the filename used by the plugin would trigger the inclusion. Because the flaw can lead to RCE if an attacker can inject code, the overall risk remains significant despite the low current exploitation probability.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade The Aisle Core plugin to the latest available version (2.0.6 or later) released by Elated-Themes.
  • If an upgrade is not immediately possible, block or neutralize the vulnerable inclusion point by sanitizing the filename input and ensuring only whitelisted paths are allowed before including files.
  • Verify that WordPress core and all other plugins remain up-to-date to reduce the overall attack surface.
  • Configure the web server to deny direct access to sensitive files and enable logging for file inclusion attempts so suspicious activity can be detected promptly.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes the Aisle Core
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes the Aisle Core
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle Core theaisle-core allows PHP Local File Inclusion.This issue affects The Aisle Core: from n/a through <= 2.0.5.
Title WordPress The Aisle Core plugin <= 2.0.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes The Aisle Core
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:39.643Z

Reserved: 2026-02-17T13:23:18.876Z

Link: CVE-2026-27048

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:50.941Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:54.130

Modified: 2026-03-30T13:27:12.923

Link: CVE-2026-27048

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:30Z

Weaknesses