Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

Improper control of the filename used in PHP include/require statements in the Kutethemes Biolife WordPress theme allows an attacker to specify a local file path. This flaw, classified as CWE‑98, can enable the reading of arbitrary files on the server, such as wp‑config.php or other sensitive configuration files, potentially exposing credentials or server configuration information. The impact is primarily confidentiality and integrity compromise; the CVE description does not explicitly state code execution or full site takeover.

Affected Systems

The vulnerability affects all installations of the Kutethemes Biolife theme from its first release through version 3.2.3. Any WordPress site that has not upgraded beyond that version is considered at risk.

Risk and Exploitability

The CVSS base score of 7.5 places this issue in the high severity range, while the EPSS probability is reported as less than 1%, indicating a low likelihood of widespread exploitation at present; it is not listed in the CISA KEV catalog. The likely attack vector is a web-based request that includes a file path parameter, as this flaw can be triggered by an unauthenticated attacker who can craft a request to the vulnerable script. Once the attacker controls the file path, they can read sensitive local files, and if the site allows file uploads or execution of uploaded PHP, further compromise may be possible. Because access to the vulnerable theme files is the minimal prerequisite for exploitation, the risk remains significant for affected sites.

Generated by OpenCVE AI on April 9, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Biolife theme to a version newer than 3.2.3 following the vendor’s update instructions.

Generated by OpenCVE AI on April 9, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Kutethemes
Kutethemes biolife
Wordpress
Wordpress wordpress
Vendors & Products Kutethemes
Kutethemes biolife
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through <= 3.2.3.
Title WordPress Biolife theme <= 3.2.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Kutethemes Biolife
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:02.641Z

Reserved: 2026-04-07T10:57:36.650Z

Link: CVE-2026-39623

cve-icon Vulnrichment

Updated: 2026-04-09T20:28:15.244Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:32.547

Modified: 2026-04-24T18:06:58.907

Link: CVE-2026-39623

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:40:56Z

Weaknesses