Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Craftis craftis allows PHP Local File Inclusion.This issue affects Craftis: from n/a through <= 1.2.8.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Craftis theme contains an improper control of filename for include/require statements, enabling a local file inclusion flaw. This flaw permits attackers to request arbitrary files on the server to be read or executed when a crafted request is processed, potentially leading to remote code execution if the application later includes or executes the content. The vulnerability is cataloged as CWE‑98 and rates a high CVSS score of 8.1.

Affected Systems

WordPress ThemeREX Craftis, versions from the initial release up through 1.2.8. The issue affects any WordPress site that has the Craftis theme installed at these or earlier versions.

Risk and Exploitability

With a CVSS score of 8.1 and an EPSS probability below 1 % in the current exposure model, the technical severity is high but the likelihood of exploitation remains low. Because the flaw is triggered by user-controllable input that causes the theme to include or read local files, an attacker with network-level access to the WordPress site or the ability to inject parameters into the theme’s URL may exploit it. The lack of listing in the CISA KEV catalog suggests no widespread public exploits have been observed yet, but the local file inclusion potential warrants immediate action to prevent possible remote code execution.

Generated by OpenCVE AI on April 15, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Craftis theme to a patched version 1.2.9 or later, if available; otherwise, migrate to an alternative theme that does not contain the flaw.
  • Restrict file inclusion to whitelisted paths or remove the vulnerable include/require logic by editing theme files—ensuring that user-supplied paths cannot influence the server’s file system.
  • Implement input validation or sanitization for any parameters that are used in file path construction, and remove any excess allowlist or decoding logic that could expose local files.

Generated by OpenCVE AI on April 15, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex craftis
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex craftis
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Craftis craftis allows PHP Local File Inclusion.This issue affects Craftis: from n/a through <= 1.2.8.
Title WordPress Craftis theme <= 1.2.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Craftis
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:25.781Z

Reserved: 2026-02-25T12:13:12.449Z

Link: CVE-2026-28021

cve-icon Vulnrichment

Updated: 2026-03-06T13:44:44.785Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:34.423

Modified: 2026-03-06T14:16:11.460

Link: CVE-2026-28021

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses