Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Peter Mason petermason allows PHP Local File Inclusion.This issue affects Peter Mason: from n/a through <= 1.4.5.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Update
AI Analysis

Impact

Improper control of filenames in a PHP include/require statement in the ThemeREX Peter Mason theme allows an attacker to include local files. This flaw, identified as CWE‑98, can enable direct reading of arbitrary files on the web server and, if the included file contains PHP code, the execution of that code. The vulnerability does not explicitly state additional impacts such as confidentiality, integrity, or availability loss, but the potential to run code locally is inherent in a local file inclusion flaw.

Affected Systems

WordPress sites that deploy any version of the Peter Mason theme up to and including 1.4.5 are affected. The issue exists across the entire range of releases from the initial version to 1.4.5, meaning any instance of the theme within this version ceiling is vulnerable unless the theme has been upgraded beyond that bound.

Risk and Exploitability

The CVSS v3 score of 8.1 indicates a high severity rating for the vulnerability, while the EPSS score of less than 1% indicates a low but non‑zero probability of exploitation at the time of analysis. The CVE is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers can exploit the flaw remotely by crafting HTTP requests that manipulate the include path, with the flaw being triggered when the vulnerable endpoint is exposed. Mitigating factors include typical server restrictions such as open_basedir or file permission settings that can limit the reach of local file inclusion attempts.

Generated by OpenCVE AI on April 17, 2026 at 12:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Peter Mason theme to a version newer than 1.4.5 that removes the unsafe include logic.
  • Disable or replace the theme with a non‑vulnerable alternative until an update is applied.
  • Restrict the theme’s file permissions and configure PHP’s include path or open_basedir setting to prevent arbitrary file access.

Generated by OpenCVE AI on April 17, 2026 at 12:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex peter Mason
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex peter Mason
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Peter Mason petermason allows PHP Local File Inclusion.This issue affects Peter Mason: from n/a through <= 1.4.5.
Title WordPress Peter Mason theme <= 1.4.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Peter Mason
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:33.144Z

Reserved: 2026-02-25T12:13:30.135Z

Link: CVE-2026-28052

cve-icon Vulnrichment

Updated: 2026-03-05T21:15:56.655Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:38.423

Modified: 2026-03-05T22:16:13.980

Link: CVE-2026-28052

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:00:11Z

Weaknesses