Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Manoir manoir allows PHP Local File Inclusion.This issue affects Manoir: from n/a through <= 1.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that can lead to remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability stems from an improper validation of filenames used in PHP include/require statements within the Manoir WordPress theme. This flaw, identified as CWE‑98, permits an attacker to cause the theme to include files that a legitimate user normally could not access. If the included files contain sensitive server data, the attacker may read them, and in configurations where PHP code in those files is executed, they may run arbitrary PHP code, potentially compromising the entire site and its underlying server.

Affected Systems

WordPress installations that employ the Manoir theme from the first release through version 1.11 are affected. The vendor, ThemeREX, distributes the Manoir theme for WordPress.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is high severity. An EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild at the time of assessment, and the issue is not catalogued in the CISA KEV list. The likely attack path involves a remote web request that supplies a crafted filename via a URL parameter or form input to the theme’s include logic; this inference comes from the description’s mention of an arbitrary filename being used without validation. Successful exploitation requires that the attacker can influence the include path; if the server permits execution of the included PHP code, remote code execution may result.

Generated by OpenCVE AI on April 16, 2026 at 05:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Manoir theme to a release newer than version 1.11; if no update is available, do not deploy the theme until a fix is released.
  • If upgrading is not immediately possible, edit the PHP files that perform the include/require operation to validate the filename against a whitelist or restrict the path to a known safe directory before inclusion.
  • Configure the web server to disable PHP’s allow_url_include directive and set open_basedir to restrict file inclusion to the web site’s safe directories.

Generated by OpenCVE AI on April 16, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex manoir
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex manoir
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Manoir manoir allows PHP Local File Inclusion.This issue affects Manoir: from n/a through <= 1.11.
Title WordPress Manoir theme <= 1.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Manoir
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:25.223Z

Reserved: 2026-02-25T12:13:12.449Z

Link: CVE-2026-28019

cve-icon Vulnrichment

Updated: 2026-03-06T13:45:45.383Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:34.150

Modified: 2026-03-06T14:16:10.870

Link: CVE-2026-28019

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:15:25Z

Weaknesses