Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ShiftCV shift-cv allows PHP Local File Inclusion.This issue affects ShiftCV: from n/a through <= 3.0.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The ShiftCV theme from ThemeREX contains an improper control of filenames used in PHP include/require statements. This flaw permits an attacker to specify arbitrary file paths, which leads to local file inclusion. By including a file that contains PHP code, the attacker could also trigger execution of that code within the context of the web application.

Affected Systems

The vulnerability affects every release of the ShiftCV theme distributed by ThemeREX up to and including version 3.0.14. Users running any of these versions should consider upgrading.

Risk and Exploitability

With a CVSS score of 8.1, the flaw is considered high severity. The EPSS score of less than 1% indicates a very low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via a crafted HTTP request that manipulates a filename used in a PHP include/require statement; a local attacker with file system access could also trigger the flaw by directly supplying a path.

Generated by OpenCVE AI on April 16, 2026 at 12:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ShiftCV theme to a version newer than 3.0.14.
  • If an upgrade is delayed, configure the web server to prevent directory traversal and restrict the paths allowed in PHP include/require statements by implementing a whitelist of safe files.
  • Ensure file permissions on the server deny reading of sensitive files such as wp-config.php, .htaccess, or other configuration files from the web root.

Generated by OpenCVE AI on April 16, 2026 at 12:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex shiftcv
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex shiftcv
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ShiftCV shift-cv allows PHP Local File Inclusion.This issue affects ShiftCV: from n/a through <= 3.0.14.
Title WordPress ShiftCV theme <= 3.0.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Shiftcv
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:23.936Z

Reserved: 2026-02-25T12:13:12.448Z

Link: CVE-2026-28015

cve-icon Vulnrichment

Updated: 2026-03-06T15:31:53.303Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:33.603

Modified: 2026-03-06T16:16:11.940

Link: CVE-2026-28015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses