Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Lingvico lingvico allows PHP Local File Inclusion.This issue affects Lingvico: from n/a through <= 1.0.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The Lingvico WordPress theme contains a flaw where the filename used in an include or require statement is not properly validated. This weakness, classified as CWE‑98, allows an attacker to specify an arbitrary file on the server. The potential to read sensitive configuration files or execute code is inferred from the nature of a local file inclusion flaw, although the CVE description does not explicitly state these outcomes.

Affected Systems

WordPress installations that use the ThemeREX Lingvico theme up to and including version 1.0.14 are affected. Any site deploying those versions is vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, indicating high severity, while the EPSS score is below 1% and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted HTTP request that controls the filename parameter used in the theme’s include or require statement, which is inferred from the description. Because the flaw is a local file inclusion that can be triggered by user input, an attacker could potentially compromise confidentiality, integrity, or availability of the affected site if they succeed in reading or executing files, but these consequences are inferred rather than explicitly stated.

Generated by OpenCVE AI on April 17, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Lingvico theme to a newer version that removes the vulnerability, if one is available.
  • If no update is possible, restrict the file paths used in include/require calls by implementing an allowlist of trusted directories and sanitizing any user‑supplied input.
  • Reduce the file system permissions of the theme directory and any included files to the minimum required for execution, preventing unintended file reads or writes.

Generated by OpenCVE AI on April 17, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex lingvico
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex lingvico
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Lingvico lingvico allows PHP Local File Inclusion.This issue affects Lingvico: from n/a through <= 1.0.14.
Title WordPress Lingvico theme <= 1.0.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Lingvico
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:20.358Z

Reserved: 2026-02-25T12:12:58.154Z

Link: CVE-2026-27996

cve-icon Vulnrichment

Updated: 2026-03-06T19:46:09.883Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.153

Modified: 2026-03-06T20:16:14.743

Link: CVE-2026-27996

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses