Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Sounder sounder allows PHP Local File Inclusion.This issue affects Sounder: from n/a through <= 1.3.11.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that can lead to disclosure of sensitive files or execution of arbitrary code
Action: Immediate Patch
AI Analysis

Impact

Improper control of filename for include/require statements in the ThemeREX Sounder WordPress theme permits local file inclusion, allowing an attacker to read or execute arbitrary server files. This can lead to disclosure of sensitive configuration files or the execution of malicious PHP code, compromising confidentiality and integrity. The flaw falls under CWE‑98, a weakness in program functionality controlling file access.

Affected Systems

WordPress sites that use ThemeREX Sounder versions up to and including 1.3.11 are affected. The vulnerability is present from the first release of the theme through any installation running version 1.3.11 or earlier.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, while an EPSS score below 1 % suggests a relatively low probability of exploitation. The flaw is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the weakness by manipulating user‑controlled parameters that influence the include/require path, potentially leading to the inclusion of sensitive files or executing PHP code if the server permits. Given the absence of widespread exploitation reports, organizations should monitor for suspicious activity and prioritize remediation.

Generated by OpenCVE AI on April 15, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ThemeREX Sounder to a version newer than 1.3.11 or apply the vendor’s patch if available
  • If an upgrade is not possible, modify the theme’s code to sanitize or hard‑code any paths used in include/require statements, removing any user‑controlled input
  • Configure a web‑application firewall or server rules to block directory traversal patterns and restrict PHP file inclusion to the theme’s directory, and disable allow_url_fopen to prevent remote inclusion

Generated by OpenCVE AI on April 15, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex sounder
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex sounder
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Sounder sounder allows PHP Local File Inclusion.This issue affects Sounder: from n/a through <= 1.3.11.
Title WordPress Sounder theme <= 1.3.11 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Sounder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:41.030Z

Reserved: 2026-02-25T12:13:51.945Z

Link: CVE-2026-28092

cve-icon Vulnrichment

Updated: 2026-03-05T17:12:56.167Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:43.313

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses