Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Motorix motorix allows PHP Local File Inclusion.This issue affects Motorix: from n/a through <= 1.6.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

The improper control of the filename used in PHP include or require statements within the ThemeREX Motorix theme enables a Local File Inclusion vulnerability. This flaw allows an attacker to cause the WordPress installation to read or execute arbitrary files from the server filesystem. Based on the description, it is inferred that sensitive files such as wp-config.php could be accessed, and if the included files contain executable PHP code, remote code execution might follow. The weakness is identified as CWE‑98, a common class for improperly controlled file inclusion.

Affected Systems

Any WordPress site that has the ThemeREX Motorix theme version 1.6 or earlier installed is affected. The vulnerability is present in all releases from the earliest version through 1.6, regardless of other plugins or WordPress core updates.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. The EPSS score of less than 1% indicates a low current exploitation probability, and the vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is remote, through a crafted HTTP request that manipulates parameters within the theme to supply a file path. The description indicates that the application will include the supplied file, so it is inferred that an attacker could read or possibly execute files on the web server, potentially leading to further compromise of the site or underlying system. Organizations should treat this as a high‑risk vulnerability that requires prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 05:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Motorix theme to a version newer than 1.6 to apply the official fix.
  • If an immediate upgrade is not possible, disable or switch to a different theme to eliminate the vulnerable code path.
  • Restrict file system permissions so that the web server process cannot read sensitive directories such as the WordPress root, wp-config.php, or other configuration files; consider separating included files into a dedicated safe directory.

Generated by OpenCVE AI on April 16, 2026 at 05:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex motorix
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex motorix
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Motorix motorix allows PHP Local File Inclusion.This issue affects Motorix: from n/a through <= 1.6.
Title WordPress Motorix theme <= 1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Motorix
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:26.748Z

Reserved: 2026-02-25T12:13:18.740Z

Link: CVE-2026-28026

cve-icon Vulnrichment

Updated: 2026-03-06T19:38:09.944Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:35.107

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses