Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Published: 2026-04-08
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion (potential remote code execution)
Action: Immediate Patch
AI Analysis

Impact

The flaw is an improper control of filenames for include/require statements, allowing an attacker to supply a crafted path that causes the theme’s PHP code to read arbitrary local files. If the attacker can influence the included content to contain PHP code, local file inclusion can lead to remote code execution. The weakness corresponds to CWE‑98 and can compromise both confidentiality and integrity of the WordPress site.

Affected Systems

ApusTheme Homeo for WordPress, versions from the initial release through 1.2.59 are affected.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability is high severity, yet its EPSS score of less than 1% indicates a low probability of real‑world exploitation. The issue is not listed in CISA’s KEV catalog. An attacker would need web access to the site and can trigger the inclusion of arbitrary local files by manipulating URL parameters. Successful exploitation would execute code with the web server’s privileges, potentially allowing full site compromise.

Generated by OpenCVE AI on April 13, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Homeo theme to a version newer than 1.2.59
  • If an upgrade is not feasible, remove or harden the vulnerable include logic so only whitelisted files can be loaded
  • Configure PHP’s open_basedir to restrict file inclusion to the application directory
  • Monitor web server logs for anomalous file inclusion attempts and block suspicious requests

Generated by OpenCVE AI on April 13, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 08 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Apustheme
Apustheme homeo
Wordpress
Wordpress wordpress
Vendors & Products Apustheme
Apustheme homeo
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Homeo homeo allows PHP Local File Inclusion.This issue affects Homeo: from n/a through <= 1.2.59.
Title WordPress Homeo theme <= 1.2.59 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Apustheme Homeo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:03.967Z

Reserved: 2026-04-07T10:58:05.155Z

Link: CVE-2026-39681

cve-icon Vulnrichment

Updated: 2026-04-13T19:49:29.347Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:39.870

Modified: 2026-04-24T18:06:04.160

Link: CVE-2026-39681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:38:36Z

Weaknesses