Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legal Stone legal-stone allows PHP Local File Inclusion.This issue affects Legal Stone: from n/a through <= 1.2.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Vulnerability arises from inadequate control of the filename supplied to PHP include/require statements. An attacker can manipulate the input to include arbitrary local files, potentially exposing sensitive data or executing malicious code on the server. In the PHP context, a successful local file inclusion can lead to arbitrary code execution, especially if the included file contains executable content. The description indicates that PHP Remote File Inclusion can occur, and the typical impact is the ability to run code with the permissions of the web application.

Affected Systems

This flaw affects the ThemeREX Legal Stone WordPress theme, from its initial release through version 1.2.11. Any WordPress installation using the affected theme versions is at risk.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Based on how the flaw is described, the attack vector most likely involves supplying a crafted filename via a URL or form input that is blindly fed into a PHP include. If successful, the attacker could read files or execute code. Given the lack of an official fix in the data, the recommendation is to apply a patch or mitigate the flaw to reduce risk.

Generated by OpenCVE AI on April 15, 2026 at 23:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Legal Stone theme to a version newer than 1.2.11 to apply the official vendor fix.
  • If an immediate upgrade is infeasible, remove or disable any direct access to theme files that trigger the include logic, and ensure that no user‑controlled input reaches the include/require statements.
  • In WordPress configuration, set php.ini directives such as allow_url_include to Off and disable the use of user‑supplied file paths in any theme code.
  • Validate and sanitize any input that is used to construct the file path before passing it to include/require to prevent arbitrary local file inclusion.

Generated by OpenCVE AI on April 15, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex legal Stone
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex legal Stone
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Legal Stone legal-stone allows PHP Local File Inclusion.This issue affects Legal Stone: from n/a through <= 1.2.11.
Title WordPress Legal Stone theme <= 1.2.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Legal Stone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:33.786Z

Reserved: 2026-02-25T12:13:34.839Z

Link: CVE-2026-28054

cve-icon Vulnrichment

Updated: 2026-03-05T21:13:30.570Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:38.837

Modified: 2026-03-05T22:16:14.407

Link: CVE-2026-28054

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses