Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Midi midi allows PHP Local File Inclusion.This issue affects Midi: from n/a through <= 1.14.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to potential disclosure of sensitive files
Action: Apply Patch
AI Analysis

Impact

The vulnerability exists because the AncoraThemes Midi theme does not properly control the filename used in a PHP include/require statement. This flaw, classified as CWE-98, enables an attacker to include arbitrary local files via the server’s filesystem. The LFI can expose the contents of readable files and, if a PHP file is included, may allow execution of that code. The CVE data does not explicitly state that remote code execution is assured.

Affected Systems

WordPress sites that have installed the AncoraThemes Midi theme with a version number no greater than 1.14 are impacted.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high‑severity flaw, while the EPSS of less than 1% suggests a low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that a publicly reachable request can supply an arbitrary path to the include/require call, and that no authentication or administrative privilege is required to exploit the flaw. Therefore, the likely attack vector is a publicly reachable request that supplies a path to the include/require statement.

Generated by OpenCVE AI on April 16, 2026 at 04:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Midi theme to any release newer than 1.14 to remove the vulnerable code.
  • If an update is not immediately possible, disable or remove the Midi theme from the WordPress installation to eliminate the attack surface.
  • Configure an application layer firewall or content‑security rules to block or sanitize file paths that could trigger the include/require statement, reducing the risk of successful LFI.

Generated by OpenCVE AI on April 16, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes midi
Wordpress
Wordpress wordpress
Vendors & Products Ancorathemes
Ancorathemes midi
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Midi midi allows PHP Local File Inclusion.This issue affects Midi: from n/a through <= 1.14.
Title WordPress Midi theme <= 1.14 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Midi
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:47.819Z

Reserved: 2026-02-25T12:14:12.838Z

Link: CVE-2026-28125

cve-icon Vulnrichment

Updated: 2026-03-05T14:13:40.473Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:47.273

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses