Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Luxury Wine luxury-wine allows PHP Local File Inclusion.This issue affects Luxury Wine: from n/a through <= 1.1.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling potential data exposure or code execution
Action: Patch Theme
AI Analysis

Impact

The vulnerability is caused by missing validation when forming the filename passed to a PHP include function in the Luxury Wine theme. An attacker who can influence the input that drives this include may force the site to read local files or execute arbitrary PHP code. The flaw falls under CWE‑98 and can compromise confidentiality or integrity by revealing sensitive files such as configuration or password data. If the attacker can also write a PHP file into a directory that the include statement reads, the vulnerability can be escalated to remote code execution.

Affected Systems

ThemeREX Luxury Wine, a WordPress theme, is affected for all releases up to and including version 1.1.14. Any installation that contains this version or an earlier one is vulnerable, regardless of the WordPress core version it runs on.

Risk and Exploitability

The reported severity is high with a score of 8.1. The estimated exploitation likelihood is below 1%. The vulnerability is not listed in the known exploited vulnerabilities catalog. Successful exploitation requires the attacker to supply data that is used directly in the include operation, which can occur through a web‑based or local vector. If the attacker can place a PHP file in a directory accessible to the include, arbitrary code execution becomes possible, amplifying the impact.

Generated by OpenCVE AI on April 16, 2026 at 05:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ThemeREX Luxury Wine theme to a release newer than 1.1.14 where the include handling has been corrected
  • If an upgrade cannot be performed immediately, modify the theme’s PHP code that performs the include so that the filename is sanitized or restricted to a trusted directory list
  • Implement WordPress hardening measures such as limiting file‑system permissions on theme directories and preventing execution of uploaded files through appropriate server configuration such as .htaccess rules

Generated by OpenCVE AI on April 16, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex luxury Wine
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex luxury Wine
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Luxury Wine luxury-wine allows PHP Local File Inclusion.This issue affects Luxury Wine: from n/a through <= 1.1.14.
Title WordPress Luxury Wine theme <= 1.1.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Luxury Wine
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:24.191Z

Reserved: 2026-02-25T12:13:12.448Z

Link: CVE-2026-28016

cve-icon Vulnrichment

Updated: 2026-03-06T15:59:32.646Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:33.740

Modified: 2026-03-06T16:16:12.157

Link: CVE-2026-28016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses