Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Patch
AI Analysis

Impact

The Freeio theme contains an improper validation of filenames used in PHP include/require statements. This flaw allows an attacker to supply a crafted path that may be included as a local file. Inclusion of arbitrary local files can expose sensitive information or, if the file contains executable PHP code, could enable execution of malicious code on the server. Based on the description, it is inferred that an attacker could gain code execution if a malicious PHP file is included. The vulnerability is categorized as CWE‑98.

Affected Systems

All installations of the ApusTheme Freeio WordPress theme with a version number of 1.3.21 or earlier are affected. The issue is applicable to any WordPress site using a vulnerable theme version and does not specify additional platform components.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity flaw, while the EPSS score of less than 1% suggests that exploitation is currently unlikely. The flaw is not listed in CISA's KEV catalog, implying no widely known public exploits. The attack vector presumably involves an HTTP request that injects a path into the vulnerable include logic, and no authentication requirement is stated, so it may be exploitable by unauthenticated users. Because the flaw may lead to remote code execution, the risk to affected sites is significant if exploitation occurs.

Generated by OpenCVE AI on April 13, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Freeio theme to version 1.3.22 or later.
  • If an upgrade is not immediately possible, replace or remove the include/require logic that accepts uncontrolled filenames, ensuring that file paths are strictly validated.
  • Apply correct file permission settings to restrict server access to sensitive files.
  • Verify that the WordPress core, plugins, and other themes are up to date.
  • Monitor web traffic for suspicious include attempts and block offending IPs.

Generated by OpenCVE AI on April 13, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Apustheme
Apustheme freeio
Wordpress
Wordpress wordpress
Vendors & Products Apustheme
Apustheme freeio
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.
Title WordPress Freeio theme <= 1.3.21 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Apustheme Freeio
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.902Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39679

cve-icon Vulnrichment

Updated: 2026-04-13T19:56:21.938Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:39.617

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:37Z

Weaknesses