Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Stargaze stargaze allows PHP Local File Inclusion.This issue affects Stargaze: from n/a through <= 1.5.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

WordPress Stargaze theme contains an improper control of filename for an include/require statement, allowing a local file inclusion vulnerability. An attacker can supply a crafted filename that causes the PHP engine to read arbitrary files on the server, potentially exposing sensitive configuration or code. Because the inclusion is executed in the context of the web request, the malicious payload can lead to remote code execution, data exfiltration or further compromise of the site.

Affected Systems

ThemeREX Stargaze theme is affected from its initial release through version 1.5. WordPress installations that use any version of Stargaze up to 1.5 are at risk, unless the theme has been updated to a newer version.

Risk and Exploitability

With a CVSS score of 8.1, this vulnerability is rated high severity. The EPSS score is below 1%, indicating a low probability of current exploitation, and it is not listed in CISA's KEV catalog. However, the vulnerability can be exploited remotely via a public-facing URL that accepts a user-specified file path. Successful exploitation can provide unauthorized access to sensitive data or arbitrary code execution on the server. The lack of an authentication requirement is inferred from the public nature of the parameter used for file inclusion.

Generated by OpenCVE AI on April 15, 2026 at 23:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Stargaze theme to a version newer than 1.5 or, if an update is not available, remove the theme entirely and switch to a secure alternative.
  • If immediate update is not possible, restrict access to the vulnerable functionality by setting file permissions to prevent read on sensitive files and configure PHP to disallow unsafe file includes (e.g., setting allow_url_include to Off).
  • Monitor the site for unexpected file access or execution and review access logs for suspicious inclusion attempts.

Generated by OpenCVE AI on April 15, 2026 at 23:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex stargaze
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex stargaze
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Stargaze stargaze allows PHP Local File Inclusion.This issue affects Stargaze: from n/a through <= 1.5.
Title WordPress Stargaze theme <= 1.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Stargaze
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:26.543Z

Reserved: 2026-02-25T12:13:18.740Z

Link: CVE-2026-28025

cve-icon Vulnrichment

Updated: 2026-03-06T13:38:43.432Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:34.970

Modified: 2026-03-06T14:16:11.817

Link: CVE-2026-28025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses