Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Grit grit allows PHP Local File Inclusion.This issue affects Grit: from n/a through <= 1.0.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: PHP Local File Inclusion
Action: Upgrade
AI Analysis

Impact

The vulnerability is an improper control of the filename used in PHP include/require statements, enabling Local File Inclusion in the Grit theme. An attacker who can influence the include path could read sensitive files or upload and execute malicious code, leading to confidentiality and integrity compromise. This weakness is identified as CWE-98. The CVE description states that the issue affects the Grit theme up to and including version 1.0.1.

Affected Systems

AncoraThemes sells the Grit WordPress theme. Any WordPress installation using Grit version 1.0.1 or earlier is vulnerable. No explicit operating system or PHP version is restricted in the advisory, so the risk is present in all environments that run the affected theme.

Risk and Exploitability

The CVSS v3.1 score of 8.1 classifies this as High severity. The EPSS probability is reported as less than 1 %, indicating that exploitation in the wild is considered rare at this time. The vulnerability is not listed in the CISA KEV catalog, so no known public exploits are documented yet. The likely attack vector is through a crafted URL or form submission that passes a malicious filename into the theme’s include logic, which is inferred from the description of the improper filename control.

Generated by OpenCVE AI on April 15, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Grit theme to a version that removes the vulnerable include/require logic, or install the latest release if one is available.
  • If immediate upgrade is not feasible, temporarily disable any theme functionality that triggers the vulnerable include statements or manually remove the offending code from the theme files.
  • Implement proper file path validation in PHP—use a whitelist of allowed files, avoid passing unsanitized user input to include/require, and follow CWE‑98 mitigation guidelines.

Generated by OpenCVE AI on April 15, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes grit
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes grit
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Grit grit allows PHP Local File Inclusion.This issue affects Grit: from n/a through <= 1.0.1.
Title WordPress Grit theme <= 1.0.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Grit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:30.684Z

Reserved: 2026-02-25T12:13:25.489Z

Link: CVE-2026-28041

cve-icon Vulnrichment

Updated: 2026-03-06T16:33:22.141Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:37.037

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28041

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses