Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX EmojiNation emojination allows PHP Local File Inclusion.This issue affects EmojiNation: from n/a through <= 1.0.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

ThemeREX EmojiNation contains an improper control over file names in PHP include/require statements (CWE-98), enabling a local file inclusion flaw. An attacker who can influence the file parameter can read arbitrary files on the server or inject PHP code for execution, thereby compromising confidentiality, integrity, and potentially availability of the site.

Affected Systems

The vulnerability affects all versions of the EmojiNation WordPress theme up to and including version 1.0.12 by ThemeREX. No newer versions are currently documented as affected.

Risk and Exploitability

The evaluation assigns a rating of 8.1, indicating high severity, while the exploitation probability is currently very low. The likely attack vector is a local request to the theme’s PHP file that includes user-supplied input; the attacker does not need remote access and can leverage the site’s own file system, though the exploit still requires authenticated or unauthenticated access to the theme’s files. The combination of high severity and very low exploitation probability suggests that prevention and timely patching remain critical.

Generated by OpenCVE AI on April 18, 2026 at 09:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EmojiNation theme to the latest available version to address the inclusion flaw.
  • If an immediate update is not possible, disable or delete the EmojiNation theme to prevent unauthorized includes.
  • Enforce strict file permissions on the WordPress /wp-content/themes directory, limiting write access to the web server user and preventing execution of unintended scripts.

Generated by OpenCVE AI on April 18, 2026 at 09:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex emojination
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex emojination
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX EmojiNation emojination allows PHP Local File Inclusion.This issue affects EmojiNation: from n/a through <= 1.0.12.
Title WordPress EmojiNation theme <= 1.0.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Emojination
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:27.290Z

Reserved: 2026-02-25T12:13:18.740Z

Link: CVE-2026-28029

cve-icon Vulnrichment

Updated: 2026-03-06T13:22:16.490Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:35.500

Modified: 2026-03-06T14:16:12.177

Link: CVE-2026-28029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:00:10Z

Weaknesses