Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Filmax filmax allows PHP Local File Inclusion.This issue affects Filmax: from n/a through <= 1.1.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The Fillmax WordPress theme contains an improper control of filename for include/require statements, allowing attackers to supply arbitrary file paths to be included by the PHP engine. This vulnerability can grant the ability to read sensitive files and, if a remote file can be accessed, to execute arbitrary code, thereby compromising confidentiality, integrity, and availability of the site.

Affected Systems

All installations of the ThemeREX Filmax theme with versions up to and including 1.1.11 are affected. The vulnerability applies to any WordPress instance that has the theme activated, regardless of other plugins or configurations.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. EPSS is below 1%, so the likelihood of exploitation is considered low, but not negligible. The issue is not yet listed in the CISA KEV catalog, which suggests no publicly available exploit has been confirmed. Based on the description, the most likely attack vector is a local file inclusion via manipulated query parameters or user input, though attackers could achieve remote code execution if an external file can be requested and the allow_url_include directive is enabled. The absence of a known workaround or official patch means the threat persists until the theme is updated.

Generated by OpenCVE AI on April 15, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Filmax theme to a version newer than 1.1.11 or apply any available official patch from ThemeREX.
  • If an update is not immediately possible, modify the theme’s file inclusion logic to validate the filename against a whitelist of allowed directories and base names, rejecting any absolute or relative paths that traverse outside the theme directory.
  • Disable the PHP configuration directive allow_url_include and enforce strict local include behavior, ensuring that only local files are considered for inclusion.

Generated by OpenCVE AI on April 15, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex filmax
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex filmax
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Filmax filmax allows PHP Local File Inclusion.This issue affects Filmax: from n/a through <= 1.1.11.
Title WordPress Filmax theme <= 1.1.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Filmax
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:40.139Z

Reserved: 2026-02-25T12:13:51.945Z

Link: CVE-2026-28087

cve-icon Vulnrichment

Updated: 2026-03-05T18:58:25.976Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:42.650

Modified: 2026-03-05T20:16:14.700

Link: CVE-2026-28087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses