Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Theme
AI Analysis

Impact

The vulnerability arises from improper control of filenames used in PHP include/require statements within the Aora theme, enabling attackers to specify arbitrary local files to be parsed by the server. This flaw can be exploited to read sensitive system files or, if the attacker can influence the inclusion of a PHP payload, execute arbitrary code on the affected machine.

Affected Systems

WordPress installations that use the Aora theme from thembay, versions 1.3.15 and earlier, are impacted. The flaw resides in the theme’s file inclusion logic and applies across all editions of the affected releases.

Risk and Exploitability

The CVSS score of 8.1 signals a high severity, while the EPSS value of less than 1% indicates a relatively low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could exploit the flaw by sending crafted requests that trigger the vulnerable include path, potentially via an exposed URL parameter. It is also inferred that no special privileges beyond normal web access to the site would be needed, but if the attacker can control the included file, full code execution could result.

Generated by OpenCVE AI on April 16, 2026 at 05:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Aora theme to version 1.3.16 or later, which removes the unsafe include logic.
  • If an upgrade is temporarily infeasible, modify the theme’s source to hard‑code a whitelist of allowed files and reject any path that navigates outside that directory.
  • Disable PHP directives that enable remote includes by setting allow_url_include to Off and tightening open_basedir restrictions.
  • Implement a Web Application Firewall rule that blocks requests containing directory traversal sequences ('../') in parameters that are passed to include/require functions.

Generated by OpenCVE AI on April 16, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Thembay
Thembay aora
Wordpress
Wordpress wordpress
Vendors & Products Thembay
Thembay aora
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Title WordPress Aora theme <= 1.3.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thembay Aora
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:13.782Z

Reserved: 2026-02-19T09:51:58.586Z

Link: CVE-2026-27381

cve-icon Vulnrichment

Updated: 2026-03-06T18:51:33.501Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:27.437

Modified: 2026-03-06T19:16:17.000

Link: CVE-2026-27381

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses