Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vixus vixus allows PHP Local File Inclusion.This issue affects Vixus: from n/a through <= 1.0.16.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that could lead to arbitrary code execution
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from an improper control of the filename used in a PHP include or require statement within the Vixus WordPress theme. The flaw allows an attacker to manipulate the target file to be included, which can lead to the execution of arbitrary PHP code on the web server. The weakness is classified as a Local File Inclusion scenario, directly impacting confidentiality, integrity, and availability of the affected site.

Affected Systems

The affected product is the ThemeREX Vixus WordPress theme, versions through 1.0.16 inclusive. Any WordPress installation that has this theme installed without upgrade beyond the specified version is susceptible.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity. The EPSS score of less than one percent indicates a low probability of exploitation at this stage, and it is not currently listed in the CISA KEV catalog. The lack of explicit authentication requirements in the description suggests that the attack could be carried out by an unauthenticated or local actor who can influence the theme’s file inclusion logic. Given these conditions, the risk is moderate but warrants timely remediation to prevent possible remote code execution.

Generated by OpenCVE AI on April 15, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vixus theme to the latest version that no longer contains the vulnerable include/require logic.
  • If an upgrade is not immediately feasible, review and sanitize all file inclusion paths in the theme’s PHP code to ensure only permitted files can be loaded.
  • Enforce strict file permission restrictions on the website directories to limit reading or execution of sensitive files that could be accessed through the inclusion flaw.

Generated by OpenCVE AI on April 15, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex vixus
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex vixus
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vixus vixus allows PHP Local File Inclusion.This issue affects Vixus: from n/a through <= 1.0.16.
Title WordPress Vixus theme <= 1.0.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Vixus
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:21.642Z

Reserved: 2026-02-25T12:12:58.154Z

Link: CVE-2026-27998

cve-icon Vulnrichment

Updated: 2026-03-06T19:41:33.756Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.420

Modified: 2026-03-06T20:16:14.930

Link: CVE-2026-27998

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses