Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nuts nuts allows PHP Local File Inclusion.This issue affects Nuts: from n/a through <= 1.10.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that can lead to Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is caused by improper control of filenames used in PHP include/require statements in the ThemeREX Nuts theme. An attacker can manipulate the path argument to include arbitrary files from the filesystem, potentially executing attacker‑controlled code or exposing sensitive data. This vulnerability is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high risk level.

Affected Systems

WordPress installations that employ ThemeREX Nuts version 1.10 or earlier are affected. Any site that has not upgraded past 1.10 remains at risk, independent of the WordPress core version.

Risk and Exploitability

The flaw is exploitably remote; the path can often be supplied directly in an HTTP request, allowing the attacker to include local files. The EPSS score of less than 1% reflects a low current probability of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. Nevertheless, the high CVSS score and potential for code execution mean that sites should treat the vulnerability as critical if they can confirm an upgrade has not yet occurred. The attack vector is inferred to be remote via HTTP queries that manipulate the include path.

Generated by OpenCVE AI on April 15, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Nuts theme to a version newer than 1.10 or remove the theme if it is no longer needed.
  • If an upgrade is delayed, modify the theme code to restrict include paths to a whitelist of safe files.
  • Ensure that file‑system permissions prevent the web process from accessing sensitive files that could be included.
  • Consider disabling or removing the functionality that triggers the include logic, or replace the theme with a maintained alternative.

Generated by OpenCVE AI on April 15, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex nuts
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex nuts
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nuts nuts allows PHP Local File Inclusion.This issue affects Nuts: from n/a through <= 1.10.
Title WordPress Nuts theme <= 1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Nuts
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:26.132Z

Reserved: 2026-02-25T12:13:18.739Z

Link: CVE-2026-28023

cve-icon Vulnrichment

Updated: 2026-03-06T13:39:32.963Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:34.697

Modified: 2026-03-06T14:16:11.633

Link: CVE-2026-28023

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:30:17Z

Weaknesses