Description
Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
Published: 2026-07-02
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Unauthenticated local file inclusion has been identified in the Pearl – Corporate Business theme for WordPress versions 3.4.10 and earlier. An attacker can supply a crafted file path that bypasses validation and results in the server reading an arbitrary file on the local filesystem. This flaw, classified under CWE‑98, may expose configuration files, database credentials, or other sensitive data, and could enable further compromise if the read files contain exploitable code.

Affected Systems

The vulnerability affects the Pearl – Corporate Business WordPress theme distributed by StylemixThemes. All installations of the theme with a version number of 3.4.10 or lower are susceptible, while newer releases contain the fix.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, placing it in the high‑severity range. No EPSS score is currently available, but the flaw is unauthenticated, implying that any visitor to the site could potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, yet its potential impact and lack of required authentication still render it a significant risk. Exploitation requires only the presence of the vulnerable theme and the ability to send requests that include the target file path, making it straightforward for attackers to read sensitive files or possibly execute code if the read data is later leveraged by other vulnerabilities.

Generated by OpenCVE AI on July 2, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pearl – Corporate Business theme to a version newer than 3.4.10.
  • If an upgrade cannot be performed immediately, remove or disable the theme so the vulnerable code path is no longer active.
  • Modify the web server configuration to disallow directory traversal and to restrict direct access to the theme’s directories, ensuring only intended files can be included.
  • Review and sanitize any file‑inclusion parameters in the theme’s code to enforce absolute paths or whitelisted file lists, mitigating CWE‑98 related risks.

Generated by OpenCVE AI on July 2, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Description Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
Title WordPress Pearl - Corporate Business theme <= 3.4.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-07-02T11:25:58.496Z

Reserved: 2026-02-19T09:52:22.262Z

Link: CVE-2026-27412

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T15:30:05Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')