Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Avventure avventure allows PHP Local File Inclusion.This issue affects Avventure: from n/a through <= 1.1.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises from improper control of the filename used in an include/require statement within the Avventure WordPress theme, exposing it to local file inclusion. An attacker who can influence the filename can read arbitrary files on the server and potentially trigger execution of those files via PHP. The flaw corresponds to CWE-98, which is an improper input handling weakness that permits inclusion of unintended files.

Affected Systems

The issue applies to WordPress installations using the ThemeREX Avventure theme up to and including version 1.1.12. Any site that has installed this theme version or an earlier release is exposed to the flaw.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is considered high severity, and the EPSS score of less than 1% indicates that exploitation attempts are uncommon. The flaw is not listed in CISA’s Known Exploited Vulnerabilities catalog. Based on the description, an attacker might exploit the flaw by manipulating the theme’s filename parameter, for example via a crafted URL or form input, to trigger the vulnerable include. The effectiveness of such an attack depends on the site’s exposure to external traffic.

Generated by OpenCVE AI on April 16, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Avventure theme to a version newer than 1.1.12 or apply the security patch released by ThemeREX.
  • If an upgrade cannot be performed immediately, remove or comment out the vulnerable include/require statement in the theme’s code, or replace it with a safe file inclusion mechanism.
  • Implement input validation or a whitelist against the filename parameter, and consider deploying a web application firewall to detect and block file‑inclusion attempts.

Generated by OpenCVE AI on April 16, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex avventure
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex avventure
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Avventure avventure allows PHP Local File Inclusion.This issue affects Avventure: from n/a through <= 1.1.12.
Title WordPress Avventure theme <= 1.1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Avventure
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:19.182Z

Reserved: 2026-02-25T12:12:49.964Z

Link: CVE-2026-27991

cve-icon Vulnrichment

Updated: 2026-03-06T18:32:59.081Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:31.460

Modified: 2026-03-06T19:16:19.793

Link: CVE-2026-27991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses