Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Verse verse allows PHP Local File Inclusion.This issue affects Verse: from n/a through <= 1.7.0.
Published: 2026-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential for remote code execution)
Action: Patch
AI Analysis

Impact

This vulnerability arises from improper control over file names used in PHP include/require statements within the Verse theme. The flaw allows an attacker to instruct the theme to include arbitrary files, which can lead to reading sensitive files or executing malicious code on the server. The weakness is classified as CWE‑98, indicating insecure handling of file paths.

Affected Systems

WordPress users running the Verse theme from ThemeREX, specifically any installation using version 1.7.0 or earlier. No specific release dates are given, but the issue applies to all releases up to and including 1.7.0.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.1, reflecting high severity. EPSS indicates exploitation probability is below 1 %, suggesting that attacks are unlikely to be widespread but still possible. The flaw is not listed in the CISA KEV catalog. Although the description does not state the attack vector explicitly, the nature of the issue implies that a remote web attacker can trigger the inclusion via crafted input to the theme’s processing logic. Proper permission controls and the absence of a relevant workaround increase the risk to systems that have not applied the patch.

Generated by OpenCVE AI on April 15, 2026 at 22:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Verse theme update that removes insecure filename handling.
  • Restrict PHP file write permissions on the theme directory to prevent upload or editing of PHP files.
  • Add a .htaccess rule in the theme directory to block PHP execution, ensuring any PHP files cannot be run.

Generated by OpenCVE AI on April 15, 2026 at 22:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex verse
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex verse
Wordpress
Wordpress wordpress

Fri, 06 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Verse verse allows PHP Local File Inclusion.This issue affects Verse: from n/a through <= 1.7.0.
Title WordPress Verse theme <= 1.7.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themerex Verse
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:48.344Z

Reserved: 2026-02-25T12:14:12.838Z

Link: CVE-2026-28128

cve-icon Vulnrichment

Updated: 2026-03-05T14:51:01.336Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-05T06:16:47.670

Modified: 2026-03-05T19:38:33.877

Link: CVE-2026-28128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses