Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Published: 2026-04-08
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion
Action: Immediate Update
AI Analysis

Impact

The vulnerability arises from an improper control of the filename used in a PHP include/require statement within the ApusTheme Homeo WordPress theme. Attackers can force the application to include arbitrary files, potentially exposing sensitive configuration data or executing injected PHP code. This flaw can lead to full compromise of the site, aligning with CWE‑98.

Affected Systems

Any WordPress site that incorporates the Homeo theme version 1.2.59 or older is affected. No other products or platforms are listed.

Risk and Exploitability

The flaw enables Local File Inclusion, which can be leveraged for remote code execution if an attacker can supply a path to a PHP file they control. The lack of CVSS or EPSS data does not suggest a low risk, and the potential severity warrants caution. The exploit requires some user interaction or uploaded content, making the risk moderate to high in the absence of a patch.

Generated by OpenCVE AI on April 8, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Homeo theme update that fixes the LFI issue.
  • Verify that the Homeo theme version is 1.2.60 or later.
  • Disable WordPress file editing by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.
  • If an update is not yet available, restrict the theme directory permissions to read only for the owner to limit local file access.

Generated by OpenCVE AI on April 8, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apustheme
Apustheme homeo
Wordpress
Wordpress wordpress
Vendors & Products Apustheme
Apustheme homeo
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Title WordPress Homeo theme <= 1.2.59 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Apustheme Homeo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-08T08:30:41.127Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39681

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T09:16:39.870

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-39681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:40:39Z

Weaknesses