Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Maxify maxify allows PHP Local File Inclusion.This issue affects Maxify: from n/a through <= 1.0.16.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an improper control of filename in a PHP include/require statement within the ThemeREX Maxify WordPress theme. The flaw allows an attacker to specify arbitrary file paths, causing the server to load files that may contain executable code. Based on this description, an attacker could potentially read local files on the server or other unintended content, leading to potential confusion or misuse of data. The weakness is identified as CWE-98.

Affected Systems

ThemeREX Maxify versions up to 1.0.16 are affected. The vulnerability applies to all installations of the Maxify theme that have not been updated beyond version 1.0.16.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but EPSS indicates the probability of exploitation is very low (<1%). The vulnerability is not listed in the CISA KEV catalog. Attackers are likely to exploit the flaw via crafted input that manipulates the include path, such as via poorly validated query parameters or configuration fields in the theme. The exploitation requires the application to allow the crafted input to reach an include/require statement without proper validation. The risk remains high until the theme is patched or the flaw is mitigated.

Generated by OpenCVE AI on April 16, 2026 at 05:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Maxify theme to a version newer than 1.0.16, where the file inclusion flaw has been corrected.
  • If an upgrade is not immediately feasible, remove the Maxify theme from the WordPress installation and replace it with a secure alternative, or disable the theme’s file inclusion features until a patch is applied.
  • Implement input validation and whitelisting for any file paths used in include/require statements, ensuring only expected, safe files can be loaded.

Generated by OpenCVE AI on April 16, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex maxify
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex maxify
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Maxify maxify allows PHP Local File Inclusion.This issue affects Maxify: from n/a through <= 1.0.16.
Title WordPress Maxify theme <= 1.0.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Maxify
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:21.199Z

Reserved: 2026-02-25T12:12:58.154Z

Link: CVE-2026-27997

cve-icon Vulnrichment

Updated: 2026-03-06T18:25:50.921Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.280

Modified: 2026-03-06T19:16:20.383

Link: CVE-2026-27997

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses