Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Rhythmo rhythmo allows PHP Local File Inclusion.This issue affects Rhythmo: from n/a through <= 1.3.4.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The Rhythmo theme permits an unvalidated filename to be passed to a PHP include/require call, allowing an unauthenticated attacker to read arbitrary files on the server. The weakness is identified as CWE‑98, exposing the site to potential leakage of sensitive configuration or other data. The impact is a compromise of confidentiality for the files that the web server can reach.

Affected Systems

All installations of the WordPress Rhythmo theme version 1.3.4 and earlier are affected. WordPress sites using those theme releases are vulnerable until the theme is updated to a patched release equal to or newer than 1.3.5.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, while an EPSS score of less than 1% suggests that exploitation incidents are rare at this time. The vulnerability is not listed in the CISA KEV catalog. Likely exploitation requires the attacker to send a crafted request that triggers the theme’s inclusion logic, enabling the reading of local files without authentication or code execution privileges.

Generated by OpenCVE AI on April 15, 2026 at 23:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Rhythmo theme to version 1.3.5 or later to remove the vulnerable inclusion logic.
  • If an upgrade cannot be performed immediately, disable the Rhythmo theme or switch to a different theme that does not expose the flaw.
  • Ensure that the WordPress core and other plugins are up to date and consider deploying a web application firewall that blocks attempts to pass arbitrary paths to include statements.

Generated by OpenCVE AI on April 15, 2026 at 23:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex rhythmo
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex rhythmo
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Rhythmo rhythmo allows PHP Local File Inclusion.This issue affects Rhythmo: from n/a through <= 1.3.4.
Title WordPress Rhythmo theme <= 1.3.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Rhythmo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:37.041Z

Reserved: 2026-02-25T12:13:39.590Z

Link: CVE-2026-28068

cve-icon Vulnrichment

Updated: 2026-03-05T20:54:43.475Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:40.750

Modified: 2026-03-05T21:16:19.910

Link: CVE-2026-28068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:15:17Z

Weaknesses