Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dan_fisher Alchemists alchemists allows PHP Local File Inclusion.This issue affects Alchemists: from n/a through <= 4.6.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The WordPress Alchemists theme contains an improper validation of the filename used in PHP include/require statements, leading to a Local File Inclusion vulnerability identified as CWE‑98. An attacker can manipulate the input that determines the file path and force the application to include a local file. Based on the description, it is inferred that if the attacker can supply a malicious PHP script as the included file, the vulnerability could potentially lead to remote code execution.

Affected Systems

WordPress installations that employ the Alchemists theme version 4.6.0 or earlier, distributed by developer dan_fisher. No further version granularity is specified beyond the stated upper bound.

Risk and Exploitability

The base CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests a low probability that the flaw is currently being exploited, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is local to the web application, requiring an attacker to influence a request parameter that controls the include path. Because the flaw permits inclusion of arbitrary local files, there is a realistic possibility of remote code execution should a PHP file be injected or already exist on the system.

Generated by OpenCVE AI on April 16, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Alchemists theme to the latest available version that resolves the include handling bug.
  • If an update is not feasible, disable the theme or remove it from the WordPress installation to eliminate the vulnerable code path.
  • Configure the web server to restrict PHP file access to trusted directories and set proper file permissions so that any inadvertently included files cannot be executed.

Generated by OpenCVE AI on April 16, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Dan Fisher
Dan Fisher alchemists
Wordpress
Wordpress wordpress
Vendors & Products Dan Fisher
Dan Fisher alchemists
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dan_fisher Alchemists alchemists allows PHP Local File Inclusion.This issue affects Alchemists: from n/a through <= 4.6.0.
Title WordPress Alchemists theme <= 4.6.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Dan Fisher Alchemists
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:07.648Z

Reserved: 2026-02-19T09:51:27.898Z

Link: CVE-2026-27334

cve-icon Vulnrichment

Updated: 2026-03-09T17:32:19.087Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:23.847

Modified: 2026-03-09T18:16:18.693

Link: CVE-2026-27334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses