Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Mandala mandala allows PHP Local File Inclusion.This issue affects Mandala: from n/a through <= 2.8.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The vulnerability originates from improper control of filenames used in PHP's include/require statements within the Mandala WordPress theme. A request that supplies a crafted filename can cause the theme to include arbitrary local files, possibly exposing sensitive data or enabling execution of server‑side code. The CVSS score of 8.1 reflects the significance of the potential information disclosure and code execution risks associated with this local file inclusion flaw.

Affected Systems

All installations of the ThemeREX Mandala theme from the earliest available release through version 2.8, inclusive, are affected. WordPress sites that have not upgraded the theme beyond 2.8 remain vulnerable.

Risk and Exploitability

The flaw can be triggered via user‑supplied parameters processed by the theme and may be accessed through public URLs. The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. If exploited, an attacker could read arbitrary local files from the server or, if a PHP file is included, execute server‑side code. This impact is confined to the web server hosting the WordPress site and does not rely on user authentication.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mandala theme to a release newer than version 2.8, ensuring that the vulnerable include statement has been removed.
  • If an immediate update is not possible, disable the feature that allows user‑controlled filenames or sanitize the input before it is passed to include().
  • Configure the web server or PHP configuration to restrict include paths to trusted directories and block direct access to sensitive system files.

Generated by OpenCVE AI on April 18, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex mandala
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex mandala
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Mandala mandala allows PHP Local File Inclusion.This issue affects Mandala: from n/a through <= 2.8.
Title WordPress Mandala theme <= 2.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Mandala
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:34.706Z

Reserved: 2026-02-25T12:13:34.840Z

Link: CVE-2026-28057

cve-icon Vulnrichment

Updated: 2026-03-05T20:39:33.035Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:39.257

Modified: 2026-03-05T22:16:14.840

Link: CVE-2026-28057

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:30:05Z

Weaknesses