Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.This issue affects Save Life: from n/a through <= 1.2.13.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion allowing disclosure of file contents and potential code execution
Action: Update Theme
AI Analysis

Impact

The vulnerability is an improper control of filename for an include or require statement, permitting a Local File Inclusion attack. By manipulating the filename parameter used by the theme, an attacker can read arbitrary local files and, if they can provide a PHP file, execute code. This weakness falls under CWE-98, which concerns using uncontrolled input as a filename in requires or includes.

Affected Systems

WordPress sites using ThemeREX Save Life theme version 1.2.13 or earlier are affected. Any installation still running these or older versions is vulnerable and should be verified via the WordPress admin interface or the plugin directory.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, but the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation would likely involve submitting a crafted request that directs the theme to include a targeted file path, which could be performed by an unauthenticated user if the parameter is publicly exposed. The impact is limited to the server’s file system, but the ability to execute PHP code could elevate the risk substantially if the attacker succeeds.

Generated by OpenCVE AI on April 15, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Save Life theme to a version later than 1.2.13, as the latest releases contain the fix for the Local File Inclusion flaw.
  • If an upgrade cannot be performed immediately, remove or disable the theme from the site to eliminate the attack vector.
  • Apply an input validation whitelist for include paths or configure the web server/PHP to disallow user-supplied filenames for includes, thereby preventing the exploitation of the vulnerability.

Generated by OpenCVE AI on April 15, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex save Life
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex save Life
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Save Life save-life allows PHP Local File Inclusion.This issue affects Save Life: from n/a through <= 1.2.13.
Title WordPress Save Life theme <= 1.2.13 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Save Life
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:42.268Z

Reserved: 2026-02-25T12:13:56.812Z

Link: CVE-2026-28098

cve-icon Vulnrichment

Updated: 2026-03-05T17:03:24.308Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:44.100

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28098

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses