Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
Published: 2026-03-19
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion, potential read of sensitive files or execution
Action: Immediate Patch
AI Analysis

Impact

The flaw stems from unsanitised input that is directly used in an include or require statement in the BuilderPress plugin. A carefully crafted request can cause the plugin to include any file located on the server. This allows an attacker to read configuration files, passwords, or other sensitive data, and if the attacker can point the include to a malicious PHP file, arbitrary code execution on the web server may result. The weakness aligns with CWE‑98: Improper Control of Filename for Include/Require Statement.

Affected Systems

The vulnerability is present in all installations of the ThimPress BuilderPress WordPress plugin up to and including version 2.0.1. The affected product is the BuilderPress plugin for WordPress, supplied by ThimPress.

Risk and Exploitability

The CVSS score is not listed, but the EPSS rating indicates a probability of exploitation of less than 1 %. The issue is not currently included in the CISA Known Exploited Vulnerabilities catalog. The most likely attack vector is a remote user sending a crafted HTTP request that triggers the vulnerable include path, which can be performed without authentication. Although the exploit probability is low, the impact could be severe if the attacker gains access to confidential files or achieves code execution.

Generated by OpenCVE AI on April 2, 2026 at 03:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BuilderPress plugin to a release newer than 2.0.1.
  • If an update is not yet available, restrict writable directories and remove the ability to specify arbitrary file paths in the plugin configuration.
  • Implement a web application firewall rule that blocks requests containing suspicious path traversal sequences.
  • Verify that the WordPress core and all other plugins are up‑to‑date and that no other modules expose similar include functionality.

Generated by OpenCVE AI on April 2, 2026 at 03:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1.
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress builderpress
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress builderpress
Wordpress
Wordpress wordpress

Thu, 19 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through 2.0.1.
Title WordPress BuilderPress plugin <= 2.0.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Thimpress Builderpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:10.322Z

Reserved: 2026-02-17T13:23:42.767Z

Link: CVE-2026-27065

cve-icon Vulnrichment

Updated: 2026-03-19T13:53:42.872Z

cve-icon NVD

Status : Deferred

Published: 2026-03-19T09:16:17.807

Modified: 2026-04-23T15:37:15.417

Link: CVE-2026-27065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:59:50Z

Weaknesses