Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Apply patch
AI Analysis

Impact

The vulnerability exists in PHP code of the WordPress Emphires theme, where an attacker can manipulate the filename used in an include or require statement to load an arbitrary local file. This allows the attacker to read sensitive files or execute arbitrary PHP code, potentially compromising the confidentiality, integrity, and availability of the impacted website. The weakness corresponds to improper control of filename for include/require.

Affected Systems

WordPress installations that use the Creatives Planet Emphires theme version 3.9 or earlier are affected. The issue impacts all sites that have retained older theme releases that have not been updated.

Risk and Exploitability

The CVSS score of 7.5 indicates a high risk, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is local via manipulated application input that triggers the include. An attacker with access to the website’s file inclusion mechanism could exploit this flaw without needing privileged credentials.

Generated by OpenCVE AI on April 13, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Emphires theme to the latest available version (recommended 4.0 or newer).
  • If an update is not immediately possible, deactivate or remove the Emphires theme to eliminate the vulnerable code path.
  • Ensure that the website’s file inclusion handling uses safe paths and does not allow arbitrary user-controlled input.
  • Maintain up-to-date WordPress core and other plugins to reduce overall attack surface.

Generated by OpenCVE AI on April 13, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Creatives Planet
Creatives Planet emphires
Wordpress
Wordpress wordpress
Vendors & Products Creatives Planet
Creatives Planet emphires
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through <= 3.9.
Title WordPress Emphires theme <= 3.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Creatives Planet Emphires
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.973Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39677

cve-icon Vulnrichment

Updated: 2026-04-13T20:08:17.574Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:39.360

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39677

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:38Z

Weaknesses