Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion.

This issue affects Motors: from n/a through 1.4.109.
Published: 2026-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an improper control of the filename used in PHP include/require statements within the StylemixThemes Motors plugin. An attacker can supply a crafted value that forces the plugin to include local files, potentially allowing the attacker to read sensitive data or execute injected PHP code. This flaw is classified as a PHP Remote File Inclusion type of weakness, although the current description limits the attack to local files.

Affected Systems

The defect impacts all installations of the StylemixThemes Motors plugin from its earliest release through version 1.4.109. WordPress sites that have the plugin active are therefore at risk if the plugin has not been updated to 1.4.110 or newer.

Risk and Exploitability

The CVSS score of 8.1 marks this as a high‑severity issue. No EPSS score is published, and the vulnerability is not listed in CISA’s KEV catalog, indicating no widely known exploits yet. The likely attack vector is via a web request that includes a malicious query parameter to the plugin’s inclusion point. If the attacker can control the input, local file paths can be read or executed, potentially leading to full code execution or extensive data exposure.

Generated by OpenCVE AI on June 18, 2026 at 13:49 UTC.

Remediation

Vendor Solution

Update the WordPress Motors Plugin to the latest available version (at least 1.4.110).


OpenCVE Recommended Actions

  • Update the WordPress Motors Plugin to version 1.4.110 or later.
  • Restrict file permissions for the plugin directories so that only the web server can read/write what is necessary.
  • Monitor web server logs for unusual include/require activity and set up alerts.

Generated by OpenCVE AI on June 18, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Stylemix
Stylemix motors
Wordpress
Wordpress wordpress
Vendors & Products Stylemix
Stylemix motors
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion. This issue affects Motors: from n/a through 1.4.109.
Title WordPress Motors plugin <= 1.4.109 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Stylemix Motors
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-17T14:41:50.427Z

Reserved: 2026-06-16T09:21:46.612Z

Link: CVE-2026-54814

cve-icon Vulnrichment

Updated: 2026-06-17T14:41:45.453Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T13:15:03Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')