Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX OsTende ostende allows PHP Local File Inclusion.This issue affects OsTende: from n/a through <= 1.4.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling Remote Code Execution
Action: Update Theme
AI Analysis

Impact

The OsTende theme for WordPress contains an improper control of the filename used in PHP include/require statements, allowing a local file inclusion flaw. An attacker can supply a crafted path that causes the application to read arbitrary files on the server. If a writable location contains PHP code, that code could be executed with the privileges of the web server. The vulnerability is identified as CWE‑98.

Affected Systems

WordPress sites running ThemeREX's OsTende theme version 1.4.3 or earlier are affected. The flaw exists in all releases from the first release through 1.4.3, as the vulnerable code path is present in each of those versions.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity impact, while the EPSS score of less than 1% reflects a very low current exploitation probability. This vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an unauthenticated HTTP request that supplies a malicious file path; the local file inclusion flaw creates an opportunity for an attacker to read sensitive configuration files or, if the server permits PHP execution from arbitrary locations, to run code with the web server’s privileges. Overall, the risk is high but the likelihood of exploitation at present is low.

Generated by OpenCVE AI on April 17, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OsTende theme to the latest version available from the vendor, ensuring that the code path for processing include/require statements has been fixed.
  • If an upgrade cannot be applied immediately, restrict the directories that can be included by configuring PHP’s open_basedir or by placing the site in a chrooted environment to prevent access to arbitrary files.
  • Configure the PHP environment to disallow the "file://" wrapper and other URL wrappers so that only local files can be included, reducing the chance that an attacker can include remote content.

Generated by OpenCVE AI on April 17, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex ostende
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex ostende
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX OsTende ostende allows PHP Local File Inclusion.This issue affects OsTende: from n/a through <= 1.4.3.
Title WordPress OsTende theme <= 1.4.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Ostende
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:18.221Z

Reserved: 2026-02-25T12:12:49.962Z

Link: CVE-2026-27986

cve-icon Vulnrichment

Updated: 2026-03-06T20:45:42.868Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:30.783

Modified: 2026-03-06T21:16:14.420

Link: CVE-2026-27986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:12Z

Weaknesses