Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises from an improper control of the filename used in a PHP include or require statement, allowing a local file inclusion (LFI) attack. An attacker could exploit this weakness to read arbitrary files from the server or execute code that is already present on the filesystem, potentially leading to disclosure of sensitive data or compromising the integrity of the WordPress installation. The weakness is identified by CWE‑98.

Affected Systems

The issue affects WordPress sites using the CreativeWS MetaMax theme, specifically all releases through version 1.1.4. Any site with this theme installed at a vulnerable version is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. EPSS shows an exploit probability of less than 1%, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack vector is local file inclusion triggered by a crafted request that feeds a malformed filename into the theme’s PHP code. Exploitation requires the attacker to send a request to the target WordPress site and may be limited by web‑server permissions, but once successful it can lead to unauthorized file access or code execution.

Generated by OpenCVE AI on March 26, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the MetaMax theme to version 1.1.5 or later, if available.

Generated by OpenCVE AI on March 26, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Creativews
Creativews metamax
Wordpress
Wordpress wordpress
Vendors & Products Creativews
Creativews metamax
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4.
Title WordPress MetaMax theme <= 1.1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Creativews Metamax
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:31:38.914Z

Reserved: 2026-03-12T11:12:07.663Z

Link: CVE-2026-32500

cve-icon Vulnrichment

Updated: 2026-03-26T18:25:38.560Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:01.950

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32500

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:01Z

Weaknesses