Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially enabling code execution
Action: Upgrade Theme
AI Analysis

Impact

The Translogic theme contains an LFI flaw caused by an unsanitized filename supplied to PHP's include/require statement. If an attacker can supply a path that points to an arbitrary local file, the server will load and execute that file. This vulnerability is classified under "CWE‑98" and may lead to remote code execution if a malicious PHP script is included. Based on the description, it is inferred that including a malicious PHP file could lead to remote code execution. The description does not specify whether the attacker needs authenticated access; it is inferred that the attacker would need to influence the filename parameter, possibly via a crafted request to the theme.

Affected Systems

ThemeREX Translogic Translogic, all releases up to and including version 1.2.11 are affected. The vendor is identified as ThemeREX:Translogic.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity. EPSS is reported as <1%, which suggests a low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Theoretical exploitation requires an attacker capable of crafting a request that causes the theme to include a local file; successful exploitation can lead to code execution or data disclosure. Because the EPSS is low and it has not been observed in KEV, widespread active exploitation is unlikely at present, but the high CVSS and the nature of the flaw keep the risk significant for affected sites.

Generated by OpenCVE AI on April 16, 2026 at 12:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Translogic theme to a version newer than 1.2.11.
  • If an update cannot be applied immediately, edit the theme’s PHP files to validate the filename parameter and restrict include/require calls to a whitelist of approved paths.
  • Configure the server to limit PHP include scope, such as by setting open_basedir to only allow the theme’s directories or by disabling directory traversal options.

Generated by OpenCVE AI on April 16, 2026 at 12:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex translogic
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex translogic
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11.
Title WordPress Translogic theme <= 1.2.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Translogic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:23.737Z

Reserved: 2026-02-25T12:13:12.448Z

Link: CVE-2026-28014

cve-icon Vulnrichment

Updated: 2026-03-06T15:57:05.191Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:33.473

Modified: 2026-03-06T16:16:11.723

Link: CVE-2026-28014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses