Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Welldone welldone allows PHP Local File Inclusion.This issue affects Welldone: from n/a through <= 2.4.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, classified as a PHP Local File Inclusion flaw that permits an attacker to read or execute arbitrary files on the server. It resides in the Welldone theme’s inclusion logic and is identified as CWE‑98. A successful exploitation could expose sensitive configuration data or enable remote code execution, and the flaw carries a CVSS‑3.1 score of 8.1.

Affected Systems

All installations of the Welldone WordPress theme up to and including version 2.4 are affected. This includes every release from the initial launch up to the stated maximum version, as the vulnerability exists whenever the theme processes include parameters without proper validation.

Risk and Exploitability

The EPSS score for this vulnerability is below 1 %, and it is not listed in CISA’s KEV catalog, indicating minimal exploitation activity to date. Based on the description, the likely attack vector is a web request that allows the attacker to craft a parameter that the theme uses in a require or include statement, often via a URL or form submission. The flaw does not require privilege escalation, and a successful attack could read sensitive files, inject malicious PHP code, or otherwise compromise the confidentiality, integrity, and availability of the WordPress installation.

Generated by OpenCVE AI on April 15, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Welldone theme to the latest version that removes the LFI flaw, or delete the theme if it is no longer required.
  • Disable the PHP directive allow_url_include and configure open_basedir to restrict file inclusion to the web root directory.
  • Validate all filenames used in the theme’s include or require calls, ensuring they are derived from a whitelist of legitimate files; reject any untrusted input.
  • Continuously monitor the Axiom Themes website and security advisories for additional updates or patches, and keep WordPress core and plugins up to date.

Generated by OpenCVE AI on April 15, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes welldone
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes welldone
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Welldone welldone allows PHP Local File Inclusion.This issue affects Welldone: from n/a through <= 2.4.
Title WordPress Welldone theme <= 2.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Welldone
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:46.641Z

Reserved: 2026-02-25T12:14:07.578Z

Link: CVE-2026-28118

cve-icon Vulnrichment

Updated: 2026-03-05T16:40:11.343Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:46.350

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses