Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nir-vana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through <= 2.6.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to potential remote code execution
Action: Immediate Patch
AI Analysis

Impact

WordPress Nirvana theme versions up to 2.6 suffer from an improper control of filenames in an include/require statement. This Local File Inclusion flaw, classified as CWE‑98, allows an attacker to read arbitrary files from the server and can serve as a stepping stone for arbitrary code execution. The high CVSS score of 8.1 reflects the potential for severe confidentiality, integrity, and availability impacts.

Affected Systems

The vulnerability affects the AxiomThemes Nirvana theme, specifically all releases through version 2.6. WordPress sites using these theme editions are exposed, regardless of the overall WordPress core version. If a site has installed a protected or older theme, the risk is mitigated, but any site still running 2.6 or earlier must update.

Risk and Exploitability

The CVSS score indicates a high severity, yet the EPSS score of <1% suggests that, at present, exploitation attempts are rare. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to craft a request that influences the theme’s include logic, typically by manipulating query parameters that are inserted directly into the file path. No authentication requirement is explicitly stated, so the path may be exploitable by unauthenticated users if the theme processes external input. The flaw stems from insufficient input validation and the ability to resolve relative or absolute paths.

Generated by OpenCVE AI on April 15, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Nirvana theme (version 2.7 or later) to eliminate the LFI flaw.
  • If an upgrade is not immediately possible, restrict the theme’s include paths by disabling user‑controlled filename inputs; modify the theme code so that include/require statements use fixed, absolute paths or a whitelist of allowed files.
  • Harden the PHP environment: enable open_basedir to limit file access to the WordPress directory, set allow_url_include to Off, and consider applying web‑application firewall rules that block suspicious file‑access patterns.

Generated by OpenCVE AI on April 15, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Nirvana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through 2.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nir-vana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through <= 2.6.
References

Fri, 13 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
References

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nirvana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through <= 2.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Nirvana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through 2.6.
References

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes nirvana
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes nirvana
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Nirvana nirvana allows PHP Local File Inclusion.This issue affects Nirvana: from n/a through <= 2.6.
Title WordPress Nirvana theme <= 2.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Nirvana
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T16:00:44.775Z

Reserved: 2026-02-25T12:14:07.579Z

Link: CVE-2026-28119

cve-icon Vulnrichment

Updated: 2026-03-05T15:10:51.208Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:46.483

Modified: 2026-04-01T17:28:38.090

Link: CVE-2026-28119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses