Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion with potential code execution
Action: Immediate Patch
AI Analysis

Impact

Improper control of filename parameters in the PHP include/require statements of the Marcell theme allows an attacker to trigger a local file inclusion. This flaw can enable the reading of sensitive files on the server or, if a local PHP file can be uploaded or authored by the attacker, lead to remote code execution on the site. The vulnerability is classified as CWE‑98, which highlights the risk of uncontrolled input being used as a filename.

Affected Systems

The issue affects the ThemeREX Marcell WordPress theme up to and including version 1.2.14. Any installation using one of these versions is vulnerable; newer releases are not affected according to the available data.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, and the EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, so no known widespread exploitation is reported. The likely attack vector involves a crafted HTTP request that supplies a file path to the vulnerable include statement, a technique that requires access to the site’s front‑end or an authenticated user context. While the vector is relatively straightforward, successful exploitation depends on the attacker’s ability to influence the filename parameter, which may be limited in some hosting environments.

Generated by OpenCVE AI on April 16, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Marcell theme to version 1.2.15 or newer when a patch becomes available.
  • Disable the Marcell theme or replace it with a secure alternative if an upgrade is not feasible.
  • Set strict file permissions on the WordPress installation to limit file access.
  • Enable open_basedir limits to restrict file inclusion to intended directories.
  • Monitor website logs for anomalous include/require parameters that could indicate exploitation attempts.

Generated by OpenCVE AI on April 16, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex marcell
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex marcell
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14.
Title WordPress Marcell theme <= 1.2.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Marcell
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:41.645Z

Reserved: 2026-02-25T12:13:56.811Z

Link: CVE-2026-28095

cve-icon Vulnrichment

Updated: 2026-03-05T18:41:15.313Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:43.710

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses