Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion.

This issue affects WaveRide: from n/a through 1.4.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Select-Themes WaveRide WordPress theme contains an improper control of filename in a PHP include/require statement (CWE‑98). This flaw can allow an attacker to trigger local file inclusion, potentially read sensitive files, and, depending on server configuration, could enable execution of arbitrary code. Execution of arbitrary code is an inference based on the LFI capability.

Affected Systems

Select-Themes:WaveRide WordPress theme releases up to version 1.4 are affected. WordPress sites that use this theme are vulnerable; versions newer than 1.4 are presumed not affected.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity. An attacker can exploit it by sending a crafted request that causes the theme to include a local file; the exact attack vector is not fully detailed in the advisory, so the likely vector appears to be through web input that passes to the include statement. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog; remote code execution is an inference based on the local file inclusion capability and could be possible depending on server configuration.

Generated by OpenCVE AI on June 2, 2026 at 16:27 UTC.

Remediation

Vendor Solution

Update the WordPress WaveRide Theme to the latest available version (at least 1.5).

OpenCVE Recommended Actions

  • Upgrade the WaveRide theme to version 1.5 or later, which removes the insecure filename handling.
  • Ensure that all include or require calls in the theme validate the target path against a whitelist, preventing arbitrary file resolution.
  • Restrict theme edit permissions, disable the WordPress Edit Files feature, and limit access to users who need it to reduce the attack surface.

Generated by OpenCVE AI on June 2, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Select-themes
Select-themes waveride
Wordpress
Wordpress wordpress
Vendors & Products Select-themes
Select-themes waveride
Wordpress
Wordpress wordpress

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes WaveRide allows PHP Local File Inclusion. This issue affects WaveRide: from n/a through 1.4.
Title WordPress WaveRide theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Select-themes Waveride
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T14:45:37.674Z

Reserved: 2026-04-07T10:48:26.892Z

Link: CVE-2026-39553

cve-icon Vulnrichment

Updated: 2026-06-02T14:45:34.281Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:52.217

Modified: 2026-06-02T14:43:49.920

Link: CVE-2026-39553

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:51:21Z

Weaknesses