Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yottis yottis allows PHP Local File Inclusion.This issue affects Yottis: from n/a through <= 1.0.10.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Upgrade
AI Analysis

Impact

The Yottis WordPress theme contains a flaw that allows an attacker to include arbitrary files on the server through PHP’s include/require mechanisms. This improper control of the filename is a classic Local File Inclusion vulnerability, represented by CWE‑98, and can enable the disclosure of sensitive configuration files, credentials, or other protected data. The impact is primarily confidentiality loss and potential escalation of privileges if the included files are executed with elevated permissions.

Affected Systems

WordPress installations that use the ThemeREX Yottis theme, any version up to and including 1.0.10. Based on the description, it is inferred that all older releases prior to 1.0.10 are potentially affected as well.

Risk and Exploitability

With a CVSS score of 8.1, this vulnerability is considered high severity, though its EPSS score is less than 1 %, indicating a low likelihood of active exploitation at present. It is not listed in the CISA KEV catalog. The attack vector is inferred to be local or remote depending on how the theme processes file path parameters; the description suggests that unsanitized inputs can be controlled by a user, thereby making the vulnerability exploitable through crafted requests.

Generated by OpenCVE AI on April 16, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Yottis theme to a version newer than 1.0.10, ensuring that the fix for the LFI issue is included.
  • If an upgrade is not immediately possible, disable or remove the theme from the site and replace it with a trusted alternative.
  • Audit the theme’s code for any remaining unsanitized file includes and replace them with safe file path handling or hard‑coded paths.

Generated by OpenCVE AI on April 16, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex yottis
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex yottis
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yottis yottis allows PHP Local File Inclusion.This issue affects Yottis: from n/a through <= 1.0.10.
Title WordPress Yottis theme <= 1.0.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Yottis
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:23.125Z

Reserved: 2026-02-25T12:13:06.635Z

Link: CVE-2026-28011

cve-icon Vulnrichment

Updated: 2026-03-06T18:15:54.695Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:33.080

Modified: 2026-03-06T19:16:21.003

Link: CVE-2026-28011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses