Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kayon kayon allows PHP Local File Inclusion.This issue affects Kayon: from n/a through <= 1.3.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Immediately
AI Analysis

Impact

The Kayon theme for WordPress contains an improper control of the filename that leads to a PHP Local File Inclusion flaw. An attacker can supply crafted input that resolves to an arbitrary file when the theme performs an include or require, allowing the server to read sensitive files or execute attacker‑supplied PHP code if a PHP file can be accessed or uploaded. This can compromise confidentiality, integrity, and may ultimately lead to full site compromise.

Affected Systems

All WordPress installations using the ThemeREX Kayon theme version 1.3 or earlier are vulnerable. The flaw spans every release of the theme up to and including 1.3, with no later versions indicated as affected.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. The exploit probability score is less than 1 %, indicating that exploitation is unlikely at present. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote via an HTTP request that supplies a crafted parameter or path that the theme uses in an unsanitized include or require call. An attacker only needs the ability to send requests to the affected WordPress site; no privileged access or local compromise is required. Successful exploitation could allow reading any file in the webroot or executing PHP code, enabling full site compromise.

Generated by OpenCVE AI on April 16, 2026 at 04:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kayon theme to a version newer than 1.3 or apply the latest security patch from ThemeREX
  • If an upgrade is not immediately possible, modify the theme’s code to validate or whitelist the filename before inclusion, ensuring only allowed paths are processed
  • As a temporary measure, restrict the web server’s PHP include_path to the theme’s directory and set open_basedir to disallow access to sensitive files

Generated by OpenCVE AI on April 16, 2026 at 04:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex kayon
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex kayon
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kayon kayon allows PHP Local File Inclusion.This issue affects Kayon: from n/a through <= 1.3.
Title WordPress Kayon theme <= 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Kayon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:26.922Z

Reserved: 2026-02-25T12:13:18.740Z

Link: CVE-2026-28027

cve-icon Vulnrichment

Updated: 2026-03-06T13:33:35.610Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:35.237

Modified: 2026-03-06T14:16:11.997

Link: CVE-2026-28027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses