Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Victo victo allows PHP Local File Inclusion.This issue affects Victo: from n/a through <= 1.4.16.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper control of filenames in include/require statements within the Victo theme, allowing local file inclusion. Categorized as CWE-98, the flaw lets an attacker manipulate parameters that dictate included files, potentially reading sensitive server files. The resulting impact is data disclosure and the possible compromise of the WordPress site.

Affected Systems

The Victo theme from magentech, versions up to and including 1.4.16, is affected. No specific lower bound is provided, so all earlier releases may also be vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 signals a high severity, indicating significant confidentiality, integrity, or availability effects. The EPSS score is below 1%, implying a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can trigger the flaw locally by controlling the file path used in include or require statements. Overall risk remains high if the server permits such operations, but real-world exploitation likelihood is currently low.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Victo theme to the latest version that fixes the LFI flaw.
  • If an update cannot be applied immediately, modify the theme to restrict included files to a whitelist or remove the vulnerable include logic altogether.
  • Ensure the PHP setting allow_url_include is disabled and that open_basedir limits the filesystem areas accessible to the web process.

Generated by OpenCVE AI on April 16, 2026 at 12:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Magentech
Magentech victo
Wordpress
Wordpress wordpress
Vendors & Products Magentech
Magentech victo
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Victo victo allows PHP Local File Inclusion.This issue affects Victo: from n/a through <= 1.4.16.
Title WordPress Victo theme <= 1.4.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Magentech Victo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:31.548Z

Reserved: 2026-02-25T12:13:30.134Z

Link: CVE-2026-28047

cve-icon Vulnrichment

Updated: 2026-03-05T21:29:01.875Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:37.730

Modified: 2026-03-05T22:16:13.357

Link: CVE-2026-28047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses