CVE-2026-32392 - Vulnerability Details

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1.

Published: 2026-03-13

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper validation of filenames used in a PHP include/require statement within the Greenly WordPress theme. The CVE description states that this flaw allows PHP Local File Inclusion, which is identified as CWE-98. Local file inclusion can enable an attacker to read or execute arbitrary files on the web server, potentially leading to the execution of malicious code, compromise of confidential data, or service disruption.

Affected Systems

The issue impacts the Creatives_Planet Greenly theme for WordPress for all releases up to and including version 8.1. No specific patch or later versions are listed, so any deployment using the theme version 8.1 or earlier is considered vulnerable. The affected CPEs are not provided; the vendor and product identifiers are Creatives_Planet:Greenly.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1% suggests the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector would involve manipulating a local filename parameter within the theme’s PHP code. It is inferred that an attacker could supply a crafted filename to include arbitrary local files, potentially leading to exploitation. The description does not explicitly state the method of exploitation, so this inference is based on the nature of the vulnerability described.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Creatives_Planet

Greenly

unaffected

Version	Status	Constraints
`0`	affected	≤ 8.1

No data.

Vendor Product Confidence Versions

Creatives Planet

Greenly

100%

Version	Status	Scheme	Platform
`[0,8.1]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Greenly theme to the latest release (version > 8.1) if available.
If no update is available, review the theme developer’s advisories or support channels for a patch.
As a temporary workaround, restrict PHP include paths to a safe directory and validate filename inputs before use.
Consider disabling unnecessary PHP functions such as include() and require() through server configuration if the theme’s functionality permits.
Regularly monitor the theme’s security advisories and apply updates promptly.

Generated by OpenCVE AI on March 17, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00127.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/greenly/vulnerability/wordpress-greenly-theme-8-1-local-file-inclusion-vulnerability?_s_id=cve

History

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 16 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Creatives Planet Creatives Planet greenly Wordpress Wordpress wordpress
Vendors & Products		Creatives Planet Creatives Planet greenly Wordpress Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly greenly allows PHP Local File Inclusion.This issue affects Greenly: from n/a through <= 8.1.
Title		WordPress Greenly theme <= 8.1 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/Wordpress/Theme/greenly/vulnerability/wordpress-greenly-theme-8-1-local-file-inclusion-vulnerability?_s_id=cve

Subscriptions

Creatives Planet Greenly

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-13T11:42:10.798Z

Updated: 2026-04-01T14:16:07.871Z

Reserved: 2026-03-12T11:11:09.667Z

Link: CVE-2026-32392

Vulnrichment

Updated: 2026-03-16T15:40:32.918Z

NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:54.733

Modified: 2026-03-16T16:16:15.203

Link: CVE-2026-32392

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T12:04:09Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object