Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from insecure handling of filenames in PHP include/require statements within the ApusTheme Freeio theme. The flaw enables an attacker to include arbitrary local files on the server, which could expose configuration data, credentials, or allow execution of PHP code if a malicious file is placed in a writable directory. This weakness is classified as CWE‑98.

Affected Systems

WordPress sites that use the ApusTheme Freeio theme version 1.3.21 or earlier are affected. The issue applies to all releases up to and including 1.3.21, as indicated by the vendor, so any installation running a version in that range is vulnerable.

Risk and Exploitability

The risk is moderate to high because local file inclusion can reveal sensitive data or enable code execution. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can supply a crafted file path in a URL parameter or form input, making the attack vector remote. Administrators should treat this flaw as critical until a fixed theme version is released or an effective workaround is applied.

Generated by OpenCVE AI on April 8, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Freeio theme to a version that fixes the inclusion flaw, if one is available.
  • If no update exists, mitigate by disabling PHP's open_basedir restrictions or limiting the include path to trusted directories so that only intended files can be included.
  • Ensure that user uploads are validated and stored outside the webroot or in a directory that does not allow PHP execution.
  • Regularly review file permissions and delete any unnecessary PHP files from the server root.
  • Apply general WordPress security best practices: keep core, plugins, and themes updated, and monitor web logs for suspicious include path attempts.

Generated by OpenCVE AI on April 8, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Title WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:40.735Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39679

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:39.617

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:42Z

Weaknesses