Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kratz kratz allows PHP Local File Inclusion.This issue affects Kratz: from n/a through <= 1.0.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential remote code execution via local file inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in the WordPress Kratz theme, allowing a local file inclusion attack. An attacker who can influence the filename parameter can cause PHP to read or execute files on the server, leading to information disclosure or remote code execution.

Affected Systems

WordPress sites that use the ThemeREX Kratz theme version 1.0.12 or earlier are affected. Any instance of this theme on a live site potentially exposes the vulnerability.

Risk and Exploitability

The CVSS score of 8.1 marks it as high severity, yet the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, leveraging crafted URLs or form inputs that provide a filename to the vulnerable include statement. Successful exploitation would grant an attacker read access to arbitrary server files and potentially allow execution of malicious code if the included file contains executable PHP.

Generated by OpenCVE AI on April 15, 2026 at 23:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kratz theme to the latest version, passing the 1.0.12 boundary or apply any available vendor patch that fixes the include handling.
  • If an immediate upgrade is not possible, modify the theme code to validate all filenames against a whitelist and reject any input that contains path traversal sequences or non‑allowed characters before calling include or require.
  • Sanitize the user‑supplied file path parameters and remove any directory traversal characters such as "../"; log and block any attempts to include disallowed files.
  • Monitor web server logs for repeated failed inclusion attempts and block offending IP addresses to prevent automated exploitation attempts.

Generated by OpenCVE AI on April 15, 2026 at 23:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex kratz
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex kratz
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kratz kratz allows PHP Local File Inclusion.This issue affects Kratz: from n/a through <= 1.0.12.
Title WordPress Kratz theme <= 1.0.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Kratz
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:23.528Z

Reserved: 2026-02-25T12:13:12.447Z

Link: CVE-2026-28013

cve-icon Vulnrichment

Updated: 2026-03-06T16:46:57.809Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:33.347

Modified: 2026-03-06T17:16:26.423

Link: CVE-2026-28013

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses