Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion.This issue affects WealthCo: from n/a through <= 2.18.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a PHP Local File Inclusion flaw caused by inadequate validation of filenames used in include/require statements. It is formally classified as CWE‑98. An attacker could read arbitrary files from the server, exposing sensitive configuration or code content. The flaw does not explicitly guarantee remote code execution, only the ability to retrieve files through the vulnerable include logic.

Affected Systems

WordPress installations that use the ThemeREX WealthCo theme version 2.18 or earlier are affected. The issue exists from the earliest released version through 2.18 and is not limited to a narrower sub‑range.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. The EPSS score of less than 1 percent indicates a very low observed exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending crafted HTTP requests to manipulate the include path, and while no active exploitation reports are attached to this CVE, the high severity justifies proactive mitigation.

Generated by OpenCVE AI on April 16, 2026 at 04:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WealthCo theme to a release that removes the LFI flaw; if the vendor has issued a patch, install it immediately.
  • Restrict the include/require logic by hard‑coding file paths or implementing a whitelist of allowed files within the theme so that only approved resources can be loaded.
  • Configure PHP open_basedir to restrict the directories visible to the web process and disable execution of files in directories that could be abused by LFI, and consider using a WAF rule that blocks suspicious include or require parameters.

Generated by OpenCVE AI on April 16, 2026 at 04:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex wealthco
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex wealthco
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion.This issue affects WealthCo: from n/a through <= 2.18.
Title WordPress WealthCo theme <= 2.18 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Wealthco
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:41.825Z

Reserved: 2026-02-25T12:13:56.811Z

Link: CVE-2026-28096

cve-icon Vulnrichment

Updated: 2026-03-05T17:08:52.584Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:43.837

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses