Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion potentially leading to server compromise
Action: Immediate Patch
AI Analysis

Impact

The Trendustry theme for WordPress contains an error in handling filenames used by PHP include/require statements, allowing a malicious user to influence the path that the theme loads. This flaw enables Local File Inclusion and, depending on the server configuration, the execution of arbitrary code. The weakness is classified as an improper control of filename (CWE‑98).

Affected Systems

All installations using CreativeWS Trendustry theme versions up to and including 1.1.4 are affected. Sites running any of these releases can potentially allow a user to supply a file path that the theme will include.

Risk and Exploitability

The vulnerability scores 8.1 on the CVSS scale, indicating high severity, but its EPSS score is below 1% and it is not listed in the CISA KEV catalog, suggesting a low immediate exploitation likelihood. Based on the description, it is inferred that the attack vector is a crafted request, such as a URL or form input, containing a malicious file path. No authentication is required, and successful exploitation could grant an attacker the ability to read sensitive files or execute code, potentially giving full control over the affected WordPress site.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Trendustry theme update (v1.1.5 or newer).
  • If an update is not immediately available, deactivate the Trendustry theme and switch to a different, trusted theme.
  • Ensure the theme’s code restricts include/require paths to predetermined safe directories and removes any user‑controlled parameters.
  • Configure a web application firewall or set appropriate .htaccess rules to block directory traversal and unauthorized file inclusion attempts.
  • Monitor site logs for suspicious file inclusion patterns and keep WordPress core and all plugins up to date.

Generated by OpenCVE AI on March 26, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Creativews
Creativews trendustry
Wordpress
Wordpress wordpress
Vendors & Products Creativews
Creativews trendustry
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4.
Title WordPress Trendustry theme <= 1.1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Creativews Trendustry
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T14:59:38.674Z

Reserved: 2026-03-12T11:12:07.664Z

Link: CVE-2026-32503

cve-icon Vulnrichment

Updated: 2026-03-26T14:59:22.241Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:02.353

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32503

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:58Z

Weaknesses