Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Meals & Wheels meals-wheels allows PHP Local File Inclusion.This issue affects Meals & Wheels: from n/a through <= 1.1.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local file inclusion potentially enabling disclosure of sensitive files or remote code execution
Action: Apply patch
AI Analysis

Impact

ThemeREX Meals & Wheels version 1.1.12 includes an improper control of filenames in PHP include/require statements. The flaw allows a user‑supplied path to be interpreted as a local file, enabling the reading of arbitrary files on the server. Based on the description, it is inferred that if an attacker can influence the include path to point to a PHP file, they may execute arbitrary code, potentially leading to remote code execution. The weakness corresponds to CWE‑98, highlighting a flaw in filename validation.

Affected Systems

All installations of the Meals & Wheels WordPress theme from the initial release up through version 1.1.12 are affected. Any WordPress site using this theme within that version range could be exposed unless the theme has been updated to a fixed release.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. The EPSS score of < 1 % implies a very low probability of active exploitation at the time of analysis and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be local to the web application, requiring an attacker to craft a request that passes a malicious path to an include/require call. Exploitation would likely involve manipulating a query parameter or form input that is directly forwarded to the include/require logic without proper sanitization.

Generated by OpenCVE AI on April 16, 2026 at 12:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Meals & Wheels theme to the latest version that contains the fix for the local file inclusion flaw.
  • Remove or hard‑code any include/require statements that incorporate user‑supplied parameters; replace them with known safe file paths.
  • Implement server‑side validation that blocks directory traversal characters and restricts the include/require calls to files within the theme’s designated directories.

Generated by OpenCVE AI on April 16, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex meals & Wheels
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex meals & Wheels
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Meals & Wheels meals-wheels allows PHP Local File Inclusion.This issue affects Meals & Wheels: from n/a through <= 1.1.12.
Title WordPress Meals & Wheels theme <= 1.1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Meals & Wheels
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:19.351Z

Reserved: 2026-02-25T12:12:49.964Z

Link: CVE-2026-27992

cve-icon Vulnrichment

Updated: 2026-03-06T20:36:34.007Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:31.600

Modified: 2026-03-06T21:16:14.953

Link: CVE-2026-27992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses