Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Justitia justitia allows PHP Local File Inclusion.This issue affects Justitia: from n/a through <= 1.1.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Justitia theme contains an improper control of filename for an include/require statement in PHP. Because the filename is derived directly from input without validation, an attacker can cause the theme to include arbitrary files from the local filesystem. If PHP files are included, this can lead to remote code execution; if sensitive data files are exposed, confidentiality is impacted. The weakness corresponds to CWE-98.

Affected Systems

ThemeREX Justitia theme versions up to and including 1.1.0 are affected. No specific sub‑versions are listed, so any 1.1.0 or earlier build must be considered vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity. EPSS is listed as less than 1 %, so the likelihood of exploitation is currently low, and the issue is not listed in CISA’s KEV catalog. Nonetheless, the lack of input validation allows attackers to create crafted requests that reference arbitrary files on the server, potentially enabling data disclosure or code execution depending on server configuration.

Generated by OpenCVE AI on April 16, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Justitia theme to the most recent released version, which resolves the issue.
  • If an upgrade is not possible, disable the vulnerable include by removing the relevant template file or commenting out the include statements, or restrict file inclusion via server configuration.
  • As a temporary workaround, manually edit the theme code to sanitize the filename parameter or limit the included paths to a safe directory.

Generated by OpenCVE AI on April 16, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex justitia
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex justitia
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Justitia justitia allows PHP Local File Inclusion.This issue affects Justitia: from n/a through <= 1.1.0.
Title WordPress Justitia theme <= 1.1.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Justitia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:20.167Z

Reserved: 2026-02-25T12:12:58.153Z

Link: CVE-2026-27995

cve-icon Vulnrichment

Updated: 2026-03-06T18:29:29.270Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.010

Modified: 2026-03-06T19:16:20.190

Link: CVE-2026-27995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses