Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Printy printy allows PHP Local File Inclusion.This issue affects Printy: from n/a through <= 1.8.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

The Printy theme contains a PHP include/require statement whose filename is derived from user input without proper validation. This flaw permits an attacker to supply arbitrary local file paths, enabling the reading of any file accessible to the web server. If the chosen file contains PHP code, the included script may be executed, potentially allowing an attacker to run code on the server. The possibility of code execution is inferred from the nature of PHP's include mechanism and is not explicitly stated in the official description.

Affected Systems

Any WordPress site that has the ThemeREX:Printy theme installed in a version from the earliest available release through 1.8 is vulnerable. Site owners should verify whether the Printy theme is active and determine the exact version in use.

Risk and Exploitability

The vulnerability has a CVSS base score of 8.1, reflecting high severity. Its EPSS score of less than 1 % suggests that exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthorized URL that manipulates the include filename supplied by the theme; a remote attacker could trigger this from the internet. Given the high CVSS and the potential for file disclosure or code execution, the risk remains significant for sites that have not addressed the flaw.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Printy theme to the latest available version that is newer than 1.8, which addresses the LFI flaw.
  • If an update cannot be performed immediately, deactivate or delete the Printy theme from the WordPress installation.
  • Deploy a web application firewall or security plugin that blocks requests containing path traversal or problematic filename parameters used by the Printy theme.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex printy
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex printy
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Printy printy allows PHP Local File Inclusion.This issue affects Printy: from n/a through <= 1.8.
Title WordPress Printy theme <= 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Printy
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:28.587Z

Reserved: 2026-02-25T12:13:25.489Z

Link: CVE-2026-28035

cve-icon Vulnrichment

Updated: 2026-03-06T12:19:41.288Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:36.337

Modified: 2026-03-06T13:16:03.943

Link: CVE-2026-28035

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses