Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Eject eject allows PHP Local File Inclusion.This issue affects Eject: from n/a through <= 2.17.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

This vulnerability arises from improper control of the filename used in a PHP include/require statement within the WordPress Eject theme. An attacker can supply a crafted filename that causes the theme to include arbitrary files from the server, potentially exposing sensitive data or allowing further exploitation. The flaw aligns with CWE‑98, indicating a lack of validation for include paths.

Affected Systems

All installations of the WordPress Eject theme released by ThemeREX at versions 2.17 and lower are affected. The vulnerability is present from the earliest releases through any version up to and including 2.17, so WordPress sites using this theme without upgrading are at risk.

Risk and Exploitability

The CVSS base score of 8.1 categorises the flaw as high severity. Current EPSS data suggests a very low exploitation likelihood (<1 %) and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is local; an attacker must be able to trigger the vulnerable include, typically via a crafted web request against the theme code. No explicit payload requirements are detailed in the provided data, so the concept of exploitation is inferred from the type of LFI described.

Generated by OpenCVE AI on April 15, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WordPress Eject theme to a version newer than 2.17, or apply the vendor‑provided patch to remove the insecure include logic.
  • If an immediate update is not possible, modify the theme code to remove or sanitize the include/require statement that accepts user‑supplied filenames, ensuring only trusted paths are used.
  • Deploy a web application firewall or similar security controls that detect and block requests containing path‑traversal or arbitrary include attempts targeting the vulnerable parameter.

Generated by OpenCVE AI on April 15, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex eject
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex eject
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Eject eject allows PHP Local File Inclusion.This issue affects Eject: from n/a through <= 2.17.
Title WordPress Eject theme <= 2.17 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Eject
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:36.552Z

Reserved: 2026-02-25T12:13:39.590Z

Link: CVE-2026-28065

cve-icon Vulnrichment

Updated: 2026-03-05T19:18:20.429Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:40.350

Modified: 2026-03-05T20:16:13.920

Link: CVE-2026-28065

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses