Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion.This issue affects Boldman: from n/a through <= 7.7.
Published: 2026-03-13
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential RCE)
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, allowing an attacker to perform Local File Inclusion on WordPress sites using the ThemetechMount Boldman theme version 7.7 or earlier. This flaw can enable the attacker to read sensitive files or, if the server configuration permits, execute arbitrary code by including malicious files. The weakness corresponds to CWE‑98.

Affected Systems

This issue affects the WordPress Boldman theme produced by ThemetechMount. Any site running Boldman from its earliest release through version 7.7 is vulnerable. Any newer version is not affected per the vendor data.

Risk and Exploitability

The CVSS base score is 7.5, indicating moderate to high risk. The EPSS score is below 1 %, suggesting a low probability of exploitation in current threat data. The vulnerability is not listed in the CISA KEV catalog. Attackers would likely trigger the flaw by supplying crafted input that exploits the include/require mechanism in the theme's PHP code; however, the exact attack vector is not defined in the vendor description and would require further analysis of the theme's file handling logic.

Generated by OpenCVE AI on March 19, 2026 at 14:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Boldman theme version (greater than 7.7) to remove the vulnerability.
  • If an immediate upgrade is not possible, disable or remove the file inclusion functionality in the theme's PHP code or use a security plugin to restrict file access.
  • Verify that the WordPress installation, PHP, and all themes/plugins are updated to the latest secure releases.

Generated by OpenCVE AI on March 19, 2026 at 14:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Themetechmount
Themetechmount boldman
Wordpress
Wordpress wordpress
Vendors & Products Themetechmount
Themetechmount boldman
Wordpress
Wordpress wordpress

Fri, 13 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemetechMount Boldman boldman allows PHP Local File Inclusion.This issue affects Boldman: from n/a through <= 7.7.
Title WordPress Boldman theme <= 7.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Themetechmount Boldman
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:16:09.383Z

Reserved: 2026-03-12T11:11:14.585Z

Link: CVE-2026-32400

cve-icon Vulnrichment

Updated: 2026-03-13T19:07:24.128Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:54:55.963

Modified: 2026-03-16T14:53:46.157

Link: CVE-2026-32400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:04:01Z

Weaknesses