Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly Theme Addons greenly-addons allows PHP Local File Inclusion.This issue affects Greenly Theme Addons: from n/a through < 8.2.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (Potential RCE)
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, allowing a Local File Inclusion attack in the Greenly Theme Addons plugin of WordPress. This flaw corresponds to CWE-98 and can enable an attacker to include arbitrary files from the server, potentially exposing sensitive data or executing malicious code under the web server’s permission. The impact therefore spans from compromised confidentiality to complete code execution, depending on the files that can be targeted.

Affected Systems

Affected product: Creatives_Planet Greenly Theme Addons. All versions from the initial release up to, but not including, version 8.2 are vulnerable. Any installation using Greenly Theme Addons less than 8.2 is potentially exposed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity level. The EPSS score is less than 1%, suggesting that the likelihood of exploitation observed in the wild is low at present, and it is not listed in the CISA KEV catalog. However, the attack vector is inferred as a local inclusion triggered via input parameters handled by the plugin; an attacker might need some level of authenticated access or ability to influence the inclusion path, but could also be exploited by publicly accessible URLs if the plugin does not properly sanitize input. Given the high potential impact, it is recommended to address the flaw promptly.

Generated by OpenCVE AI on March 17, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Greenly Theme Addons to version 8.2 or later
  • If an upgrade is not immediately possible, consider disabling or removing the plugin to eliminate the vulnerability
  • Verify the server filesystem for any unexpected files that may have been exposed if the vulnerability was exploited
  • Monitor web application logs for anomalous file inclusion attempts or unauthorized access patterns

Generated by OpenCVE AI on March 17, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Creatives Planet
Creatives Planet greenly Theme Addons
Wordpress
Wordpress wordpress
Vendors & Products Creatives Planet
Creatives Planet greenly Theme Addons
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Greenly Theme Addons greenly-addons allows PHP Local File Inclusion.This issue affects Greenly Theme Addons: from n/a through < 8.2.
Title WordPress Greenly Theme Addons plugin < 8.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Creatives Planet Greenly Theme Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:08.077Z

Reserved: 2026-03-12T11:11:09.667Z

Link: CVE-2026-32393

cve-icon Vulnrichment

Updated: 2026-03-17T13:30:07.967Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:54.857

Modified: 2026-03-17T14:16:16.340

Link: CVE-2026-32393

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:04:08Z

Weaknesses