Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.This issue affects Equadio: from n/a through <= 1.1.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted Local File Inclusion in the WordPress Equadio theme that may lead to arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

The Equadio theme contains a flaw where user-controlled data can be passed directly to a PHP include/require statement without proper validation or sanitization. This improper control of the filename field enables an attacker to read or execute malicious files on the server, potentially giving them the ability to run arbitrary code or access restricted files.

Affected Systems

The vulnerability is found in the ThemeREX Equadio theme, affecting all releases from the earliest available version up to and including version 1.1.3. No additional version ranges are specified in the advisory, so any installation of Equadio 1.1.3 or older is potentially insecure.

Risk and Exploitability

The reported CVSS score of 8.1 categorizes it as High severity. The EPSS score of less than 1% indicates that, as of the latest assessment, the probability of exploitation is low, and it has not been listed in the CISA KEV catalog. However, because the flaw permits local file inclusion, a compromised WordPress installation could be leveraged to execute arbitrary scripts if an attacker controls the server’s filesystem or can supply a path that resolves to a dangerous file.

Generated by OpenCVE AI on April 16, 2026 at 05:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Equadio theme to the latest available version from ThemeREX, which should contain a fix for this LFI flaw.
  • If an update cannot be performed immediately, deactivate or uninstall the Equadio theme to prevent the vulnerable code from executing.
  • Ensure that any custom code or child themes do not use user-supplied data in include/require calls; sanitize or hard‑code the file paths to avoid arbitrary file inclusion.

Generated by OpenCVE AI on April 16, 2026 at 05:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex equadio
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex equadio
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Equadio equadio allows PHP Local File Inclusion.This issue affects Equadio: from n/a through <= 1.1.3.
Title WordPress Equadio theme <= 1.1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Equadio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:18.654Z

Reserved: 2026-02-25T12:12:49.962Z

Link: CVE-2026-27988

cve-icon Vulnrichment

Updated: 2026-03-06T20:41:59.469Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:31.050

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-27988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses