Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to potential code execution and data exposure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an Improper Control of Filename for Include/Require Statement in PHP that allows a local file to be included by the WordPress Aqualots theme. An attacker can craft a request that causes the theme to load arbitrary local files, potentially exposing sensitive configuration files or executing uploaded malicious code. The weakness is a PHP Local File Inclusion type flaw that can compromise confidentiality, integrity, and availability of the affected system.

Affected Systems

The ThemeREX Aqualots WordPress theme is affected in all releases up to and including version 1.1.6. Any installation of the theme up to that version is vulnerable, regardless of patch level of WordPress itself.

Risk and Exploitability

The CVSS score is 8.1, classifying the vulnerability as high severity. The EPSS score is less than 1%, indicating a low but non‑zero probability of exploitation in the immediate future. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a public HTTP request that reaches the untrusted include routine; authentication is not required if the vulnerability can be triggered via a standard web request. Due to the local file inclusion nature, an attacker could read local files or run code if a writable file is available.

Generated by OpenCVE AI on April 16, 2026 at 04:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Aqualots theme to the latest version (1.1.7 or later).
  • If an update is not feasible, restrict filesystem access to the theme directory using server‑side permissions or .htaccess rules to prevent direct or indirect inclusion of arbitrary files.
  • Deploy a web application firewall rule that detects and blocks inclusion patterns or attempts to read sensitive files through the theme’s include mechanism.

Generated by OpenCVE AI on April 16, 2026 at 04:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex aqualots
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex aqualots
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.
Title WordPress Aqualots theme <= 1.1.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Aqualots
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:40.325Z

Reserved: 2026-02-25T12:13:51.945Z

Link: CVE-2026-28088

cve-icon Vulnrichment

Updated: 2026-03-05T17:14:09.072Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:42.780

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses