Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Airtifact airtifact allows PHP Local File Inclusion.This issue affects Airtifact: from n/a through <= 1.2.91.
Published: 2026-02-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

This vulnerability involves improper control of file names used in PHP include/require statements, leading to a Local File Inclusion flaw. An attacker who can influence the include parameter may be able to force the theme to load arbitrary local files, potentially read sensitive data or inject malicious PHP code. The weakness aligns with CWE-98, which addresses unsafe file operations, and could allow execution of arbitrary PHP code if the attacker supplies a crafted file path.

Affected Systems

The vulnerability affects the WordPress Airtifact theme provided by VanKarWai. All releases of the theme from the earliest available versions up through 1.2.91 are impacted. Users deploying these versions should verify their installed theme version and consider upgrading beyond 1.2.91 or removing the theme if an upgrade is not viable.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. The EPSS score is below 1%, implying a low probability of active exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is local or authenticated, where an attacker can supply a crafted path to a vulnerable include. However, once local file inclusion is achieved, it can be escalated to remote code execution by placing malicious PHP files on the server or reading critical configuration files.

Generated by OpenCVE AI on April 16, 2026 at 06:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Airtifact theme to a version newer than 1.2.91 to receive the official fix.
  • If an upgrade cannot be performed immediately, replace the Airtifact theme with a vetted alternative or disable it entirely to prevent the vulnerability from being exploitable.
  • Inspect your site for any archived or legacy PHP files that may have been included inadvertently and remove them, ensuring that include paths are restricted to trusted directories.

Generated by OpenCVE AI on April 16, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Vankarwai
Vankarwai airtifact
Wordpress
Wordpress wordpress
Vendors & Products Vankarwai
Vankarwai airtifact
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Airtifact airtifact allows PHP Local File Inclusion.This issue affects Airtifact: from n/a through <= 1.2.91.
Title WordPress Airtifact theme <= 1.2.91 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Vankarwai Airtifact
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:09.609Z

Reserved: 2026-02-19T09:51:35.297Z

Link: CVE-2026-27343

cve-icon Vulnrichment

Updated: 2026-02-20T16:53:44.644Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T21:18:32.810

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27343

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses