Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Happy Baby happy-baby allows PHP Local File Inclusion.This issue affects Happy Baby: from n/a through <= 1.2.12.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The Happy Baby theme contains an improper validation of file names used in PHP include/require statements. This flaw allows an attacker to supply a crafted path that causes the server to include unintended local files. The weakness is classified as CWE‑98.

Affected Systems

All installations of the ThemeREX Happy Baby theme with versions up to and including 1.2.12 are affected. The vulnerability is limited to the theme files and does not depend on other WordPress components.

Risk and Exploitability

The CVSS score of 8.1 shows high severity. EPSS is below 1 %, indicating a low chance of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker can trigger the flaw through a web request, suggesting exploitation without authentication. If the theme allows write access to included files, the LFI could be extended to arbitrary code execution, but the description does not confirm this.

Generated by OpenCVE AI on April 16, 2026 at 04:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Happy Baby theme to the latest version that removes the LFI flaw.
  • If an update is not possible immediately, deactivate or delete the theme to prevent exploitation until the issue is fixed.
  • Review any custom or legacy code that performs file inclusion and ensure it uses whitelisting or absolute paths; sanitize any user‑provided file names before inclusion.

Generated by OpenCVE AI on April 16, 2026 at 04:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex happy Baby
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex happy Baby
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Happy Baby happy-baby allows PHP Local File Inclusion.This issue affects Happy Baby: from n/a through <= 1.2.12.
Title WordPress Happy Baby theme <= 1.2.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Happy Baby
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:36.023Z

Reserved: 2026-02-25T12:13:34.841Z

Link: CVE-2026-28062

cve-icon Vulnrichment

Updated: 2026-03-05T21:01:55.767Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:39.943

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28062

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses