Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX M.Williamson williamson allows PHP Local File Inclusion.This issue affects M.Williamson: from n/a through <= 1.2.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from an uncontrolled filename passed to PHP include or require statements within the ThemeREX M.Williamson theme. An attacker who can influence the path may read sensitive files on the server or cause the inclusion of a malicious PHP file, which could then be executed as part of the web application, leading to a full compromise of the WordPress site. The weakness is classified as CWE-98 and directly compromises confidentiality, integrity, and availability of the affected system.

Affected Systems

All installations of the M.Williamson WordPress theme with versions up to and including 1.2.11 are affected. Users should verify that no legacy version is active on their site and that the theme has not been modified in a way that reintroduces the vulnerable include logic.

Risk and Exploitability

The flaw carries a high severity CVSS score of 8.1, but the estimated likelihood of exploitation is very low, as reflected by a minimal exploitation probability. It is not listed among the known exploited vulnerabilities cataloged by CISA. Attackers would need a source that can submit an include path, which may be provided by a front‑end parameter or an exposed configuration option; no publicly available exploitation tools have been documented to date. Consequently, while the impact is severe if triggered, the current threat of widespread exploitation remains limited.

Generated by OpenCVE AI on April 16, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the M.Williamson theme to version 1.2.12 or newer, which eliminates the vulnerable include logic.
  • If the theme update cannot be applied immediately, disable the theme or switch to a trusted alternative to prevent execution of the unpatched code.
  • Configure PHP to restrict include paths to trusted directories and enforce validation on any user‑supplied filename input.

Generated by OpenCVE AI on April 16, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex m.williamson
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex m.williamson
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX M.Williamson williamson allows PHP Local File Inclusion.This issue affects M.Williamson: from n/a through <= 1.2.11.
Title WordPress M.Williamson theme <= 1.2.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex M.williamson
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:33.981Z

Reserved: 2026-02-25T12:13:34.839Z

Link: CVE-2026-28055

cve-icon Vulnrichment

Updated: 2026-03-06T12:15:58.212Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:38.983

Modified: 2026-03-06T13:16:04.517

Link: CVE-2026-28055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses