Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Amfissa amfissa allows PHP Local File Inclusion.This issue affects Amfissa: from n/a through <= 1.1.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows the inclusion of local files via an improper control of the filename used in PHP include or require statements. This flaw can lead to the disclosure of sensitive server files or, in some configurations, the execution of arbitrary PHP code, thus compromising the confidentiality, integrity, or availability of the affected WordPress site. The weakness is formally classified as CWE‑98.

Affected Systems

WordPress sites that use the Mikado‑Themes Amfissa theme version 1.1 or earlier are affected. No other product versions are listed, meaning the risk applies to installations that have not yet upgraded beyond the stated cutoff.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, and the EPSS score of less than 1% suggests that public exploit code is currently rare. The issue is not recorded in the CISA KEV catalog. Likely attackers would craft a request that passes a path parameter to the vulnerable inclusion point, enabling them to read local files or trigger PHP execution when the server’s configuration permits it. Exploitation requires the attacker to reach the WordPress instance via HTTP, so network-level or web application defenses can mitigate the attack vector.

Generated by OpenCVE AI on March 26, 2026 at 20:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Amfissa theme to a version newer than 1.1
  • If an update cannot be performed immediately, disable or remove the Amfissa theme from the site
  • Ensure that only trusted file paths are processed by any include or require calls by reviewing theme code if possible
  • Verify that the WordPress core and other plugins are current and secure
  • Consider implementing a web application firewall to block suspicious file inclusion attempts

Generated by OpenCVE AI on March 26, 2026 at 20:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes amfissa
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes amfissa
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Amfissa amfissa allows PHP Local File Inclusion.This issue affects Amfissa: from n/a through <= 1.1.
Title WordPress Amfissa theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Amfissa
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-24T15:35:30.146Z

Reserved: 2026-02-17T13:23:58.963Z

Link: CVE-2026-27079

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:43.903Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:55.443

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-27079

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:22Z

Weaknesses