Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Scientia scientia allows PHP Local File Inclusion.This issue affects Scientia: from n/a through <= 1.2.4.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of the filename used in PHP's include/require statements, which allows the inclusion of sensitive local files on the server. Based on the description, it is inferred that an attacker could read or potentially execute arbitrary local files through the vulnerable code path, thereby compromising confidentiality, integrity, or availability of the affected WordPress installation.

Affected Systems

The issue affects the ThemeREX Scientia WordPress theme in all releases up to and including version 1.2.4. Site administrators who are still using one of these releases are at risk; newer releases are not impacted according to the available data.

Risk and Exploitability

With a CVSS score of 8.1 the flaw is classified as high severity, yet the EPSS score is below 1 % and the vulnerability is not listed in the CISA KEV catalog, indicating a low likelihood of widespread exploitation at present. The likely attack vector is a crafted web request that manipulates a file path parameter used by the theme, which is inferred from the type of LFI flaw and typical entry points in WordPress themes.

Generated by OpenCVE AI on April 16, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Scientia theme to the latest version that contains the fix if one is available (e.g., a release newer than 1.2.4).
  • Restrict any user‑provided file paths to a whitelisted directory or apply strict validation against a known list of safe paths before passing them to include or require statements.
  • Disable the PHP directive allow_url_include and, if possible, disable allow_url_fopen to prevent external and local file inclusion from untrusted sources.

Generated by OpenCVE AI on April 16, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex scientia
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex scientia
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Scientia scientia allows PHP Local File Inclusion.This issue affects Scientia: from n/a through <= 1.2.4.
Title WordPress Scientia theme <= 1.2.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Scientia
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:22.906Z

Reserved: 2026-02-25T12:13:06.635Z

Link: CVE-2026-28010

cve-icon Vulnrichment

Updated: 2026-03-05T19:54:26.533Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:32.953

Modified: 2026-03-05T20:16:13.080

Link: CVE-2026-28010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses