Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The vulnerability arises from insufficient validation of the filename used in a PHP include/require call within the ThemeREX N7 theme, allowing an attacker to trigger the theme to load a user‑supplied file from the server. This can expose any readable file on the system and, if the incorporated file contains PHP code, enable arbitrary code execution, raising the risk of full site compromise.

Affected Systems

WordPress sites using the N7 | Golf Club Sports & Events theme by ThemeREX, specifically any version from the first release through and including 2.16.0. Site owners must verify that their current installation falls within this affected range.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity, but the EPSS score remains below 1%, reflecting a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to send a crafted request to the public‑facing site that triggers the vulnerable include path; success would permit reading sensitive files or executing PHP code.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX N7 theme to version 2.17.0 or later, if an update containing the fix is available.
  • If no updated version exists, enforce file‑system permissions or server configuration that blocks PHP execution in the theme’s directories (for example, set the directories to read‑only for the web server or use an .htaccess rule to deny PHP processing).
  • Implement server‑side validation of any request parameters that influence file paths, and deploy a web application firewall rule to detect and block typical LFI request patterns.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex n7 | Golf Club Sports & Events
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex n7 | Golf Club Sports & Events
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0.
Title WordPress N7 | Golf Club Sports & Events theme <= 2.16.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex N7 | Golf Club Sports & Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:31.154Z

Reserved: 2026-02-25T12:13:30.134Z

Link: CVE-2026-28045

cve-icon Vulnrichment

Updated: 2026-03-05T21:44:17.101Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:37.450

Modified: 2026-03-05T22:16:13.143

Link: CVE-2026-28045

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses