Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dixon dixon allows PHP Local File Inclusion.This issue affects Dixon: from n/a through <= 1.4.2.1.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to unauthorized code execution
Action: Patch Update
AI Analysis

Impact

The vulnerability is an improper control of the filename for include/require statements in PHP, allowing a local file inclusion. An attacker who can manipulate the filename used by the Dixon theme can cause the PHP interpreter to load and execute a file from the local filesystem. This flaw enables remote code execution or privilege escalation within the context of the WordPress installation, compromising confidentiality, integrity, and availability.

Affected Systems

WordPress installations using the ThemeREX Dixon theme with versions from the earliest released build through 1.4.2.1 are affected. Any deployment of this theme within a WordPress site is potentially vulnerable until a fixed version is applied.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity. The EPSS score is below 1%, so the likelihood of exploitation in the wild is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, the lack of a public exploit does not reduce the risk; local attackers or attackers who can influence theme data could provide a crafted filename. The attack vector is inferred to be via any functionality that passes user-controlled input to the include/require statement in the theme. Because the vulnerability is local, it requires either code injection through a different vector or exploitation of the theme configuration interface.

Generated by OpenCVE AI on April 15, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX Dixon theme to the latest released version that is not affected by this vulnerability.
  • Disable or remove any theme options that allow administrators to specify file paths for includes or requires within the theme settings.
  • If an immediate update is not possible, restrict file system permissions to prevent the PHP process from reading sensitive or non-theme directories, reducing the potential impact of LFI attempts.

Generated by OpenCVE AI on April 15, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex dixon
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex dixon
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dixon dixon allows PHP Local File Inclusion.This issue affects Dixon: from n/a through <= 1.4.2.1.
Title WordPress Dixon theme <= 1.4.2.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Dixon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:35.241Z

Reserved: 2026-02-25T12:13:34.840Z

Link: CVE-2026-28058

cve-icon Vulnrichment

Updated: 2026-03-05T21:08:31.758Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:39.397

Modified: 2026-03-05T22:16:15.033

Link: CVE-2026-28058

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses