Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential execution of arbitrary code)
Action: Update Theme
AI Analysis

Impact

The vulnerability arises from insufficient validation of the filename used in PHP include/require statements within the Vapester theme for WordPress. This flaw permits an attacker to specify an arbitrary local file path, enabling the theme to read or execute files that should remain protected. The weakness is classified as a CWE‑98 issue, and its CVSS score of 8.1 indicates a high severity with potential confidentiality and integrity compromise, and if the included file is a PHP script it could lead to remote code execution on the host.

Affected Systems

WordPress installations that employ the ThemeREX Vapester theme with a version of 1.1.10 or earlier are affected. No newer versions are known to contain this flaw, so any site still running an impacted release remains vulnerable.

Risk and Exploitability

The calculated EPSS score is less than one percent, suggesting that the observed exploitation probability is low, and the vulnerability has not yet appeared in the CISA KEV catalog. Nonetheless, based on the description, it is inferred that the attack vector is likely a web request that manipulates a theme parameter to surface a controlled file path; a compromised user or a malicious actor with access to the site’s query strings could exploit the flaw. Given the lack of a network‑wide vector and the limited EPSS, the risk is moderate but still significant enough to warrant prompt remediation.

Generated by OpenCVE AI on April 16, 2026 at 12:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Vapester theme to version 1.1.11 or later, which removes the insecure include/require logic.
  • If an immediate update is unavailable, restrict external read access to the theme directory and eliminate any writable file path parameters, or modify the theme’s file‑inclusion logic to use hard‑coded, validated paths.
  • Deploy a web application firewall rule that blocks requests containing suspicious path‑traversal sequences (e.g., ".." or "/") or query parameters matching the theme’s include parameter.

Generated by OpenCVE AI on April 16, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex vapester
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex vapester
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10.
Title WordPress Vapester theme <= 1.1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Vapester
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:38.193Z

Reserved: 2026-02-25T12:13:47.059Z

Link: CVE-2026-28077

cve-icon Vulnrichment

Updated: 2026-03-05T18:11:57.373Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:41.710

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T12:45:35Z

Weaknesses