Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8.
Published: 2026-03-25
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The VintWood theme for WordPress contains a flaw where the filename used in a PHP include or require statement is not properly sanitized, allowing an attacker to cause PHP to include arbitrary local files during script execution. The likely attack vector is through crafted HTTP requests that supply a filename value to the vulnerable code, which is not shown in the official description but follows common LFI vectors. Reading local files can expose sensitive configuration or data and, if the included content can execute code, may lead to further compromise, although that outcome is an inference rather than an explicit claim in the CVE entry.

Affected Systems

CreativeWS VintWood theme versions up to and including 1.1.8 deployed on any WordPress site are affected. The vulnerability relates solely to the theme’s PHP files; WordPress core and other plugins are not directly impacted by this issue.

Risk and Exploitability

The CVSS base score of 8.1 signals a high overall risk. The EPSS score of less than 1% indicates a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. It is likely exploitable by sending a manipulated HTTP request to the affected theme script, requiring web application access. The potential impact is limited to the affected WordPress site unless additional weaknesses exist.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the VintWood theme to a version newer than 1.1.8.
  • Verify that the update removes or secures the include/require functionality.
  • If an immediate upgrade is not possible, restrict direct web access to the theme’s PHP files—e.g., by placing the theme’s directory outside the webroot or by applying access controls.
  • Monitor server logs for unusual inclusion attempts and keep WordPress core, the theme, and all other plugins up to date.

Generated by OpenCVE AI on March 26, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Creativews
Creativews vintwood
Wordpress
Wordpress wordpress
Vendors & Products Creativews
Creativews vintwood
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8.
Title WordPress VintWood theme <= 1.1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Creativews Vintwood
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T18:22:32.357Z

Reserved: 2026-03-12T11:12:07.664Z

Link: CVE-2026-32504

cve-icon Vulnrichment

Updated: 2026-03-26T18:22:28.574Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:02.490

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32504

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:58Z

Weaknesses