Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Invetex invetex allows PHP Local File Inclusion.This issue affects Invetex: from n/a through <= 2.18.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Theme
AI Analysis

Impact

An improper control of filenames in PHP include/require statements allows a local file inclusion flaw in the Invetex WordPress theme. This weakness permits an attacker to read files from the server’s local filesystem, potentially exposing sensitive data or configuration files. The flaw is identified by CWE‑98, indicating a lack of proper filename validation before including files.

Affected Systems

The vulnerability affects the ThemeREX Invetex theme for WordPress, from the earliest available build through version 2.18. Users running these versions are exposed until they apply an updated theme.

Risk and Exploitability

The severity score is 8.1, indicating high severity. Exploitation probability is below 1%, showing a very low likelihood at present. The vulnerability is not included in the CISA Known Exploited Vulnerabilities catalog. While the description does not specify the exact attack vector, it likely involves manipulating a file path argument to load an arbitrary local file. If exploited, the attacker can read any file accessible to the webserver.

Generated by OpenCVE AI on April 16, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Replace the Invetex theme with the latest version (2.19 or later) that resolves the local file inclusion flaw.
  • If upgrading immediately is not possible, apply a web application firewall rule that blocks requests containing suspicious directory traversal characters such as '..' or patterns typical of file inclusion attempts.
  • Ensure that any file inclusion logic in the theme is hardened by validating file paths against a whitelist of allowed files, and remove or disable any theme settings that accept user-supplied file paths.

Generated by OpenCVE AI on April 16, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex invetex
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex invetex
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Invetex invetex allows PHP Local File Inclusion.This issue affects Invetex: from n/a through <= 2.18.
Title WordPress Invetex theme <= 2.18 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Invetex
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:27.695Z

Reserved: 2026-02-25T12:13:18.741Z

Link: CVE-2026-28031

cve-icon Vulnrichment

Updated: 2026-03-06T13:20:53.909Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:35.777

Modified: 2026-03-06T14:16:12.370

Link: CVE-2026-28031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses