Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through <= 1.1.10.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion enabling information disclosure or remote code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from improper handling of filenames used in PHP include/require statements, allowing an attacker to manipulate the file path in a way that the server includes local files. This flaw can expose sensitive server files or, if an attacker supplies a crafted file containing executable code, it may lead to arbitrary remote code execution. The weakness is categorized as CWE‑98.

Affected Systems

ThemeREX Ozisti is affected in all releases up to version 1.1.10. The vulnerability applies to any WordPress installation using this theme within the stated version range.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity. However, the EPSS score is under 1%, suggesting a very low probability of exploitation at present. The deficiency is not listed in the CISA KEV catalog. Attackers would need to find a way to supply a malicious file path to an included PHP instruction, likely via an input field or URL parameter that the theme uses without proper validation.

Generated by OpenCVE AI on April 16, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check whether a patched version of the Ozisti theme is available from ThemeREX, and upgrade to that version if possible.
  • If an upgrade is not immediately feasible, deactivate or remove the Ozisti theme entirely from the WordPress installation.
  • Implement server‑side input validation or a whitelist for including files used by the theme to ensure only intended files are loaded, mitigating the root cause of the flaw.

Generated by OpenCVE AI on April 16, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex ozisti
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex ozisti
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through <= 1.1.10.
Title WordPress Ozisti theme <= 1.1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Ozisti
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:41.256Z

Reserved: 2026-02-25T12:13:56.811Z

Link: CVE-2026-28093

cve-icon Vulnrichment

Updated: 2026-03-05T18:44:19.861Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:43.447

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28093

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses