Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion.This issue affects Notarius: from n/a through <= 1.9.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch Now
AI Analysis

Impact

The CVE describes an improper control of filename for the include/require statement in the Notarius theme that allows an attacker to include arbitrary local files. An attacker who can craft a request that influences the include path could read sensitive files on the server, and, if the included file contains PHP code, execute it, potentially leading to remote code execution or disclosure of confidential data.

Affected Systems

This weakness is present in the AncoraThemes Notarius WordPress theme on all versions up to and including 1.9. WordPress installations that have any of these versions deployed are vulnerable.

Risk and Exploitability

The CVSS base score of 8.1 classifies the issue as high severity. The EPSS score of less than 1% suggests a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalogue. However, once a path to provide a filename argument is discovered, the attacker can include files without authentication. The attack would most likely be performed by manipulating a URL or form parameter that is fed to an include/require call in the theme code.

Generated by OpenCVE AI on April 15, 2026 at 22:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Notarius theme to a version newer than 1.9, or apply a vendor‑provided patch if available.
  • Remove or hard‑code any user‑supplied file paths used in include/require statements, or implement a strict whitelist of allowable filenames.
  • Set 'allow_url_include' to Off and 'allow_url_fopen' to Off in the PHP configuration to prevent inclusion of remote files.
  • Verify that WordPress and PHP are configured with the principle of least privilege, reducing the impact scope if an inclusion were to succeed.

Generated by OpenCVE AI on April 15, 2026 at 22:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes notarius
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes notarius
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion.This issue affects Notarius: from n/a through <= 1.9.
Title WordPress Notarius theme <= 1.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Notarius
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:47.592Z

Reserved: 2026-02-25T12:14:12.837Z

Link: CVE-2026-28124

cve-icon Vulnrichment

Updated: 2026-03-05T15:45:03.535Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:47.140

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28124

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses