Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Humanum humanum allows PHP Local File Inclusion.This issue affects Humanum: from n/a through <= 1.1.4.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling potential data disclosure and remote code execution
Action: Immediate Patch
AI Analysis

Impact

The Humanum theme contains an improper control of the filename used in PHP include/require statements, which can be exploited to perform local file inclusion. This flaw is classified as CWE-98 and can allow an attacker to read sensitive files on the server, expose configuration and credential data, and, if the included file contains executable code or the application accepts user input that is executed as code, may lead to remote code execution. The primary impact is the loss of confidentiality and integrity of the host environment, and potentially full system compromise.

Affected Systems

WordPress installations that use the ThemeREX Humanum theme, including all released versions up to and including 1.1.4. No later versions are known to be affected.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating a high severity. The EPSS score is less than 1%, implying that, although the flaw is severe, the likelihood of successful exploitation is currently low. The flaw has not been listed in the CISA KEV catalog. The most plausible attack vector is remote; the flaw can be triggered by a crafted HTTP request that results in the theme including an arbitrary local file. While no direct exploitation code is listed, local file inclusion can be leveraged for data theft or to plant malicious code if the attacker can influence the inclusion path.

Generated by OpenCVE AI on April 16, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Humanum theme to a version newer than 1.1.4 that includes the fix for the file inclusion vulnerability.
  • If an upgrade is not possible, restrict file inclusion in the theme by sanitizing any user‑controlled parameters and limiting include paths to designated directories; remove or comment out vulnerable include statements.
  • Monitor web server logs for suspicious inclusion attempts and block offending IP addresses; ensure file permissions restrict access to sensitive directories.

Generated by OpenCVE AI on April 16, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex humanum
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex humanum
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Humanum humanum allows PHP Local File Inclusion.This issue affects Humanum: from n/a through <= 1.1.4.
Title WordPress Humanum theme <= 1.1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Humanum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:18.035Z

Reserved: 2026-02-25T12:12:49.962Z

Link: CVE-2026-27985

cve-icon Vulnrichment

Updated: 2026-03-06T18:39:29.288Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:30.650

Modified: 2026-03-06T19:16:19.203

Link: CVE-2026-27985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses