Skip to main content

LFI

1172 CVEs technique

Monthly

CVE-2026-28053 HIGH This Week

Local file inclusion in ThemeREX Miller WordPress theme through version 1.3.3 allows remote unauthenticated attackers to read arbitrary files and potentially execute malicious code via improper PHP include/require statement handling. CVSS rates this 8.1 (High) but EPSS exploitation probability is low at 0.15% (36th percentile), indicating targeted rather than widespread exploitation risk. Patchstack has documented this vulnerability but no CISA KEV listing exists, suggesting no confirmed active exploitation campaigns at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28052 HIGH This Week

Local file inclusion in ThemeREX Peter Mason WordPress theme versions up to 1.4.5 allows remote unauthenticated attackers to include and execute arbitrary PHP files from the server's filesystem. The vulnerability stems from improper validation of file paths in include/require statements (CWE-98), enabling attackers to read sensitive files, execute malicious code, or escalate privileges. EPSS score of 0.15% (36th percentile) indicates relatively low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack security research identified this flaw, suggesting security researchers are aware but widespread targeting is not yet evident.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28051 HIGH This Week

Local file inclusion in ThemeREX Yacht Rental theme versions through 2.6 enables remote attackers to read arbitrary files on the web server without authentication. The vulnerability stems from improper validation of include/require statements, classified as CWE-98 (PHP Remote File Inclusion). While CVSS scores 8.1 (High), the low EPSS score (0.15%, 36th percentile) suggests minimal observed exploitation activity. Patchstack audit team identified and reported this WordPress theme vulnerability, which affects default configurations requiring no special prerequisites beyond network access to the WordPress installation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28050 HIGH This Week

Local file inclusion in ThemeREX Beacon WordPress theme versions ≤2.24 allows remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. Despite high-attack-complexity requirements (CVSS AC:H), this enables unauthenticated access to sensitive configuration files, credentials, and application source code. No public exploit identified at time of analysis, with low EPSS score (0.15%, 36th percentile) suggesting minimal observed exploitation activity. Patchstack advisory available but patched release version not independently confirmed.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28049 HIGH This Week

Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28048 HIGH This Week

Local file inclusion in FlashMart theme versions ≤2.0.15 allows remote attackers to read arbitrary files on the server through improper filename validation in PHP include/require statements. With CVSS 8.1 (High) and CWE-98 classification, attackers can potentially access sensitive configuration files, credentials, and application source code. EPSS exploitation probability is low (0.15%, 36th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the flaw affects the WordPress theme variant.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28047 HIGH This Week

Local file inclusion in Magentech Victo WordPress theme through version 1.4.16 allows remote attackers to read arbitrary server files and potentially execute code. Despite CWE-98 classification as 'Remote File Inclusion', technical evidence and Patchstack tagging confirm local file inclusion behavior. EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability. No CISA KEV listing or public POC identified at time of analysis, though Patchstack reporting suggests researcher awareness of exploitation technique.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28046 HIGH This Week

Local file inclusion in ThemeREX Law Office WordPress theme versions up to 3.3.0 allows remote unauthenticated attackers to read arbitrary files from the server through improper PHP include/require controls. With EPSS score of 0.15%, this represents a moderate real-world exploitation probability. The vulnerability enables information disclosure attacks against WordPress sites using the affected theme, potentially exposing configuration files, credentials, and sensitive application data.

PHP LFI Microsoft Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28045 HIGH This Week

Local File Inclusion in N7 Golf Club WordPress theme through version 2.16.0 allows remote attackers to read arbitrary server files via crafted PHP file path manipulation. Despite CVSS 8.1, exploitation requires specific attack chain complexity (AC:H). EPSS 0.15% indicates minimal active exploitation observed. No CISA KEV listing or public POC identified at time of analysis, suggesting limited attacker interest in this WordPress theme vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28043 CRITICAL Act Now

The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-28041 HIGH This Week

Local File Inclusion in AncoraThemes Grit WordPress theme (versions ≤1.0.1) allows remote attackers to include arbitrary local files through improper validation of PHP include/require statements. Attack requires high complexity (CVSS AC:H) but no authentication, enabling unauthenticated attackers to achieve high confidentiality, integrity, and availability impact. EPSS score of 0.15% (36th percentile) indicates relatively low mass exploitation probability despite network attack vector. Patchstack audit team identified this vulnerability affecting PHP-based file operations with potential for information disclosure.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28039 HIGH This Week

Local file inclusion in wpDataTables plugin for WordPress (versions up to 6.5.0.1) enables authenticated attackers to read arbitrary files from the web server filesystem with high complexity conditions. An attacker with low-privilege access can include PHP files or extract sensitive configuration data (database credentials, API keys) from readable server files. EPSS score of 0.13% (32nd percentile) indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis. Patchstack researchers disclosed this as a PHP local file inclusion weakness (CWE-98) exploitable over the network.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28035 HIGH This Week

Local file inclusion in ThemeREX Printy theme versions through 1.8 allows remote attackers to read arbitrary files from the web server filesystem and potentially achieve code execution. Despite high CVSS 8.1, EPSS exploitation probability is low at 0.15% (36th percentile), suggesting limited attacker interest. Patchstack has published vulnerability details, but no public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28034 HIGH This Week

Local file inclusion in ThemeREX Progress WordPress theme version 1.2 and earlier allows remote attackers to read arbitrary files from the web server filesystem via PHP file inclusion flaws. Despite the 8.1 CVSS score, EPSS probability is low (0.15%, 36th percentile), indicating limited real-world exploitation activity. No CISA KEV listing confirms this remains a lower-priority vulnerability despite network reachability. Patchstack database identifies this as exploitable for information disclosure through local file access.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28033 HIGH This Week

Local file inclusion in ThemeREX Edifice WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute PHP code by manipulating file inclusion parameters. Exploitation requires bypassing a high attack complexity barrier (AC:H) without authentication, making this a critical vulnerability for websites using affected versions. EPSS score of 0.15% indicates minimal observed exploitation activity in the wild, and no CISA KEV listing exists at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28032 HIGH This Week

Local file inclusion in ThemeREX Tuning WordPress theme versions ≤1.3 enables remote attackers to read arbitrary files and potentially achieve code execution through PHP file inclusion mechanisms. Despite the high CVSS score (8.1), exploitation probability remains low (EPSS 0.15%, 36th percentile) and no active exploitation has been confirmed. Patchstack vulnerability database identifies this as affecting the Tuning theme through version 1.3, with the attack requiring high complexity network-based exploitation without authentication or user interaction.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28031 HIGH This Week

Local file inclusion in ThemeREX Invetex WordPress theme versions ≤2.18 allows remote attackers to include and execute arbitrary PHP files from the server's filesystem, potentially leading to remote code execution, credential theft, or full site compromise. EPSS probability of 0.15% indicates relatively low observed exploitation despite network attack vector. Patchstack security audit identified the vulnerability in PHP file handling routines where inadequate validation enables path traversal to sensitive files.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28030 HIGH This Week

Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28029 HIGH This Week

Local file inclusion in ThemeREX EmojiNation WordPress theme versions through 1.0.12 allows remote attackers to read arbitrary files on the web server without authentication. Despite a CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited real-world exploitation activity. Patchstack database reports this as a PHP local file inclusion vulnerability with information disclosure impact, indicating attackers can access sensitive configuration files, credentials, or source code to facilitate subsequent attacks.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28028 HIGH This Week

Local file inclusion vulnerability in ThemeREX MoneyFlow WordPress theme version 1.0 and earlier enables remote attackers to read arbitrary files from the server filesystem and potentially execute PHP code. Reported by Patchstack security researchers, this vulnerability exploits improper validation of file paths in PHP include/require statements. With EPSS exploitation probability at 0.15% (36th percentile), widespread exploitation is not yet observed, though the network-accessible attack vector combined with high confidentiality, integrity, and availability impacts warrants immediate patching for sites using this theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28027 HIGH This Week

Local file inclusion in ThemeREX Kayon WordPress theme versions through 1.3 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite network-reachable attack vector (CVSS AV:N), exploitation requires high complexity conditions (AC:H) without authentication, resulting in a moderate EPSS score of 0.15% (36th percentile). Patchstack database lists this as an actively tracked vulnerability affecting WordPress installations, though no CISA KEV listing indicates limited widespread exploitation at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28026 HIGH This Week

Local file inclusion in the Motorix WordPress theme versions 1.6 and earlier permits remote attackers to include and execute arbitrary PHP files on the server, despite high attack complexity. The vulnerability stems from improper validation of file paths in include/require statements. With EPSS exploitation probability at 0.15% (low percentile 36%), this appears to be a targeted WordPress theme vulnerability rather than widespread attack vector, though the CVSS score of 8.1 reflects the potential for complete system compromise if successfully exploited.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28025 HIGH This Week

Local file inclusion in ThemeREX Stargaze WordPress theme versions through 1.5 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Reported by Patchstack security audit team. EPSS probability of 0.15% suggests low widespread exploitation likelihood, though network-accessible vector and high impact ratings warrant attention for sites using this theme. No active exploitation confirmed via CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28024 HIGH This Week

Local file inclusion in axiomthemes Helion WordPress theme through version 1.1.12 enables remote attackers to read arbitrary files and potentially execute malicious code through improper filename validation in PHP include/require statements. While CVSS scores 8.1 (High) with network vector and no authentication required, attack complexity is rated High and EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world weaponization. The CWE-98 classification indicates classic PHP file inclusion vulnerabilities where attacker-controlled input influences file paths in include() or require() functions. Patchstack database lists this as both LFI and information disclosure, indicating read access is confirmed while remote code execution depends on exploitation chain completeness.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28023 HIGH This Week

Local File Inclusion (LFI) in ThemeREX Nuts WordPress theme versions through 1.10 allows remote attackers to read arbitrary files from the web server filesystem without authentication. While CVSS rates this 8.1 High, EPSS exploitation probability is low (0.15%, 36th percentile), suggesting limited active targeting. No CISA KEV listing or public exploit code identified at time of analysis, indicating this remains a theoretical risk requiring specific attack conditions despite the network-accessible vector.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28022 HIGH This Week

Local File Inclusion in ThemeREX Foodie WordPress theme through version 1.14 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Despite the high CVSS score of 8.1, real-world exploitation likelihood remains low (EPSS 0.15%, 36th percentile) with no active exploitation confirmed at time of analysis. The vulnerability stems from improper validation of file paths in PHP include/require statements, classified as CWE-98.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28021 HIGH This Week

Local file inclusion in ThemeREX Craftis WordPress theme versions through 1.2.8 enables remote attackers to read arbitrary server files and potentially achieve remote code execution via PHP file inclusion. The vulnerability stems from improper validation of filenames in include/require statements, allowing traversal to sensitive files. EPSS score of 0.15% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack has documented this vulnerability affecting all installations prior to version 1.2.9.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28020 HIGH This Week

Local file inclusion vulnerability in ThemeREX Chroma WordPress theme versions ≤1.11 allows remote attackers to read arbitrary files from the web server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS probability is low (0.15%, 36th percentile) and no active exploitation is confirmed. Patchstack has documented this vulnerability, indicating professional security researcher awareness and likely forthcoming vendor response.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28019 HIGH This Week

Local file inclusion in the Manoir WordPress theme version 1.11 and earlier allows remote unauthenticated attackers to read arbitrary files on the server through improper validation of file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates low real-world exploitation probability (0.15%, 36th percentile), suggesting this is likely a targeted risk rather than widespread threat. Patchstack database confirms the vulnerability exists but no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28018 HIGH This Week

Local file inclusion vulnerability in ThemeREX Global Logistics WordPress theme through version 3.20 allows remote attackers to include arbitrary local files without authentication. Exploitation requires high complexity but no user interaction. With EPSS score of 0.15% (36th percentile), real-world exploitation probability remains low despite theoretical remote attack vector and lack of authentication requirements. Vulnerability identified by Patchstack audit team with public advisory available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28017 HIGH This Week

ThemeREX Green Thumb plugin version 1.1.12 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling file disclosure without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28016 HIGH This Week

Improper file inclusion handling in ThemeREX Luxury Wine plugin version 1.1.14 and earlier enables attackers to read arbitrary files on affected servers through local file inclusion attacks. The vulnerability requires network access but no authentication, allowing extraction of sensitive configuration data and source code. No patch is currently available for this high-severity issue affecting PHP-based WordPress installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28015 HIGH This Week

ThemeREX ShiftCV versions up to 3.0.14 are vulnerable to local file inclusion through improper input validation in PHP include/require statements, allowing attackers to read arbitrary files on the affected server. With a CVSS score of 8.1, this vulnerability enables high-impact attacks including information disclosure and potential code execution, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28014 HIGH This Week

ThemeREX Translogic through version 1.2.11 contains a local file inclusion vulnerability in PHP that enables attackers to read and potentially execute arbitrary files on affected systems without authentication. The improper handling of file include/require statements allows an attacker to manipulate filename inputs and access sensitive server files. No patch is currently available, and exploitation requires specific conditions (network accessible, no user interaction required).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28013 HIGH This Week

Improper file inclusion handling in ThemeREX Kratz plugin versions 1.0.12 and earlier enables attackers to read arbitrary files from affected systems through a local file inclusion vulnerability. An unauthenticated attacker can exploit this over the network to access sensitive configuration files and other protected data without authentication. No patch is currently available for this high-severity vulnerability affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28012 HIGH This Week

ThemeREX Gridiron through version 1.0.14 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server by manipulating include/require statements. The vulnerability requires specific conditions to be met (AC:H) but could lead to full system compromise including confidentiality and integrity breaches. No patch is currently available, and exploitation remains unlikely in the near term based on current threat metrics.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28011 HIGH This Week

ThemeREX Yottis plugin version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that permits unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion parameters. The vulnerability requires specific conditions to exploit (high attack complexity) but could lead to complete system compromise including confidential data exposure and code execution. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28010 HIGH This Week

ThemeREX Scientia plugin versions 1.2.4 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no patch currently available, affected PHP installations running vulnerable versions of Scientia are at immediate risk.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28009 HIGH This Week

ThemeREX DroneX versions up to 1.1.12 contain a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, potentially enabling information disclosure or further system compromise. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28007 HIGH This Week

ThemeREX Coinpress through version 1.0.14 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated attackers to read arbitrary files from the affected server. The vulnerability has a high severity rating (CVSS 8.1) and currently lacks a security patch. Attackers can leverage this flaw to access sensitive configuration files, credentials, and other protected data accessible to the web server process.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28006 HIGH This Week

ThemeREX Yungen plugin versions 1.0.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this weakness to access sensitive information or potentially execute code by manipulating filename parameters in include/require statements. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27998 HIGH This Week

ThemeREX Vixus through version 1.0.16 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this by crafting malicious requests to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires specific conditions that increase the attack complexity.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27997 HIGH This Week

ThemeREX Maxify through version 1.0.16 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. Currently no patch is available to remediate this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27996 HIGH This Week

ThemeREX Lingvico through version 1.0.14 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files on the affected system. The vulnerability requires network access but no authentication or user interaction, allowing an attacker to potentially disclose sensitive server information. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27995 HIGH This Week

ThemeREX Justitia through version 1.1.0 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper control of file inclusion statements. This vulnerability has a CVSS score of 8.1, indicating high severity with potential for both information disclosure and system compromise. No patch is currently available, leaving affected installations vulnerable to exploitation.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27994 HIGH This Week

ThemeREX Tediss versions 1.2.4 and earlier contain a local file inclusion vulnerability in their PHP include/require functionality, allowing unauthenticated attackers to read arbitrary files from the server. The vulnerability requires specific conditions to exploit (high complexity) but carries high impact including potential information disclosure and code execution. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27993 HIGH This Week

Local file inclusion in ThemeREX Aldo through version 1.0.10 enables unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. The vulnerability allows remote attackers to access sensitive system files and potentially execute code with no authentication required. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27992 HIGH This Week

ThemeREX Meals & Wheels plugin version 1.1.12 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other protected content without authentication. No patch is currently available, and exploitation difficulty is moderate with a CVSS score of 8.1 indicating high impact on confidentiality, integrity, and availability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27991 HIGH This Week

ThemeREX Avventure versions 1.1.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27990 HIGH This Week

ThemeREX ConFix version 1.013 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive configuration files or source code. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27989 HIGH This Week

ThemeREX Quanzo version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files through improper handling of include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27988 HIGH This Week

ThemeREX Equadio versions 1.1.3 and earlier contain a local file inclusion vulnerability in their PHP implementation that allows attackers to manipulate filename parameters in include/require statements to read arbitrary files from the system. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files or source code. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27987 HIGH This Week

ThemeREX The Qlean WordPress theme through version 2.12 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server. The vulnerability requires no authentication and can be exploited remotely to access sensitive configuration files and source code. While no patch is currently available, the relatively low EPSS score suggests limited real-world exploitation at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27986 HIGH This Week

ThemeREX OsTende versions up to 1.4.3 contain a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and application data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27985 HIGH This Week

Local file inclusion in ThemeREX Humanum through version 1.1.4 enables attackers to read arbitrary files on the server by exploiting improper input validation in file inclusion mechanisms. The vulnerability requires network access but no authentication or user interaction, allowing complete compromise of confidentiality and integrity with high impact. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27383 HIGH This Week

RadiusTheme Metro versions 2.13 and earlier are susceptible to local file inclusion through improper input validation in PHP include/require statements, enabling attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive information or potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27381 HIGH This Week

PHP Local File Inclusion in Aora through version 1.3.15 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper validation of file inclusion parameters. The vulnerability carries a CVSS score of 8.1 with high impact across confidentiality, integrity, and availability, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27342 HIGH This Week

Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27341 HIGH This Week

Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27340 HIGH This Week

The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27339 HIGH This Week

The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27337 HIGH This Week

The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27336 HIGH This Week

The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27335 HIGH This Week

The Ekoterra WordPress theme through version 1.0.0 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and other protected data. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27334 HIGH This Week

PHP Local File Inclusion in dan_fisher Alchemists versions through 4.6.0 allows unauthenticated remote attackers to read arbitrary files on affected servers through improper handling of file inclusion statements. The vulnerability requires specific network conditions to exploit but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27326 HIGH This Week

The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-27097 HIGH This Week

The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-23801 HIGH This Week

Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22478 HIGH This Week

The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22477 HIGH This Week

Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22476 HIGH This Week

Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22457 HIGH This Week

Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22456 HIGH This Week

Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22452 HIGH This Week

ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22449 HIGH This Week

Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22446 HIGH This Week

Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22443 HIGH This Week

ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22442 HIGH This Week

LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22441 HIGH This Week

Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22439 HIGH This Week

Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22437 HIGH This Week

AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22436 HIGH This Week

Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22435 HIGH This Week

ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22434 HIGH This Week

Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22433 HIGH This Week

PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22432 HIGH This Week

Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22431 HIGH This Week

AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22429 HIGH This Week

Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22428 HIGH This Week

The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22427 HIGH This Week

Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Miller WordPress theme through version 1.3.3 allows remote unauthenticated attackers to read arbitrary files and potentially execute malicious code via improper PHP include/require statement handling. CVSS rates this 8.1 (High) but EPSS exploitation probability is low at 0.15% (36th percentile), indicating targeted rather than widespread exploitation risk. Patchstack has documented this vulnerability but no CISA KEV listing exists, suggesting no confirmed active exploitation campaigns at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Peter Mason WordPress theme versions up to 1.4.5 allows remote unauthenticated attackers to include and execute arbitrary PHP files from the server's filesystem. The vulnerability stems from improper validation of file paths in include/require statements (CWE-98), enabling attackers to read sensitive files, execute malicious code, or escalate privileges. EPSS score of 0.15% (36th percentile) indicates relatively low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack security research identified this flaw, suggesting security researchers are aware but widespread targeting is not yet evident.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Yacht Rental theme versions through 2.6 enables remote attackers to read arbitrary files on the web server without authentication. The vulnerability stems from improper validation of include/require statements, classified as CWE-98 (PHP Remote File Inclusion). While CVSS scores 8.1 (High), the low EPSS score (0.15%, 36th percentile) suggests minimal observed exploitation activity. Patchstack audit team identified and reported this WordPress theme vulnerability, which affects default configurations requiring no special prerequisites beyond network access to the WordPress installation.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Beacon WordPress theme versions ≤2.24 allows remote attackers to read arbitrary files from the web server through improper filename control in PHP include/require statements. Despite high-attack-complexity requirements (CVSS AC:H), this enables unauthenticated access to sensitive configuration files, credentials, and application source code. No public exploit identified at time of analysis, with low EPSS score (0.15%, 36th percentile) suggesting minimal observed exploitation activity. Patchstack advisory available but patched release version not independently confirmed.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the Police Department WordPress theme through version 2.17 allows remote attackers to read arbitrary files on the server and potentially achieve remote code execution through file disclosure and log poisoning techniques. Discovered by Patchstack's audit team, this vulnerability carries an EPSS score of 0.15%, indicating low probability of widespread exploitation despite its network-accessible attack vector. No public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in FlashMart theme versions ≤2.0.15 allows remote attackers to read arbitrary files on the server through improper filename validation in PHP include/require statements. With CVSS 8.1 (High) and CWE-98 classification, attackers can potentially access sensitive configuration files, credentials, and application source code. EPSS exploitation probability is low (0.15%, 36th percentile), indicating limited observed exploitation activity. Patchstack vulnerability database confirms the flaw affects the WordPress theme variant.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Magentech Victo WordPress theme through version 1.4.16 allows remote attackers to read arbitrary server files and potentially execute code. Despite CWE-98 classification as 'Remote File Inclusion', technical evidence and Patchstack tagging confirm local file inclusion behavior. EPSS score of 0.15% (36th percentile) indicates low observed exploitation probability. No CISA KEV listing or public POC identified at time of analysis, though Patchstack reporting suggests researcher awareness of exploitation technique.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Law Office WordPress theme versions up to 3.3.0 allows remote unauthenticated attackers to read arbitrary files from the server through improper PHP include/require controls. With EPSS score of 0.15%, this represents a moderate real-world exploitation probability. The vulnerability enables information disclosure attacks against WordPress sites using the affected theme, potentially exposing configuration files, credentials, and sensitive application data.

PHP LFI Microsoft +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in N7 Golf Club WordPress theme through version 2.16.0 allows remote attackers to read arbitrary server files via crafted PHP file path manipulation. Despite CVSS 8.1, exploitation requires specific attack chain complexity (AC:H). EPSS 0.15% indicates minimal active exploitation observed. No CISA KEV listing or public POC identified at time of analysis, suggesting limited attacker interest in this WordPress theme vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

The ThemeREX Healer WordPress theme through version 1.0.0 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file include statements. An attacker can exploit this to access sensitive configuration files, database credentials, and other protected data without authentication. No patch is currently available and exploitation requires no user interaction.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in AncoraThemes Grit WordPress theme (versions ≤1.0.1) allows remote attackers to include arbitrary local files through improper validation of PHP include/require statements. Attack requires high complexity (CVSS AC:H) but no authentication, enabling unauthenticated attackers to achieve high confidentiality, integrity, and availability impact. EPSS score of 0.15% (36th percentile) indicates relatively low mass exploitation probability despite network attack vector. Patchstack audit team identified this vulnerability affecting PHP-based file operations with potential for information disclosure.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local file inclusion in wpDataTables plugin for WordPress (versions up to 6.5.0.1) enables authenticated attackers to read arbitrary files from the web server filesystem with high complexity conditions. An attacker with low-privilege access can include PHP files or extract sensitive configuration data (database credentials, API keys) from readable server files. EPSS score of 0.13% (32nd percentile) indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis. Patchstack researchers disclosed this as a PHP local file inclusion weakness (CWE-98) exploitable over the network.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Printy theme versions through 1.8 allows remote attackers to read arbitrary files from the web server filesystem and potentially achieve code execution. Despite high CVSS 8.1, EPSS exploitation probability is low at 0.15% (36th percentile), suggesting limited attacker interest. Patchstack has published vulnerability details, but no public exploit code or active exploitation has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Progress WordPress theme version 1.2 and earlier allows remote attackers to read arbitrary files from the web server filesystem via PHP file inclusion flaws. Despite the 8.1 CVSS score, EPSS probability is low (0.15%, 36th percentile), indicating limited real-world exploitation activity. No CISA KEV listing confirms this remains a lower-priority vulnerability despite network reachability. Patchstack database identifies this as exploitable for information disclosure through local file access.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Edifice WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute PHP code by manipulating file inclusion parameters. Exploitation requires bypassing a high attack complexity barrier (AC:H) without authentication, making this a critical vulnerability for websites using affected versions. EPSS score of 0.15% indicates minimal observed exploitation activity in the wild, and no CISA KEV listing exists at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Tuning WordPress theme versions ≤1.3 enables remote attackers to read arbitrary files and potentially achieve code execution through PHP file inclusion mechanisms. Despite the high CVSS score (8.1), exploitation probability remains low (EPSS 0.15%, 36th percentile) and no active exploitation has been confirmed. Patchstack vulnerability database identifies this as affecting the Tuning theme through version 1.3, with the attack requiring high complexity network-based exploitation without authentication or user interaction.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Invetex WordPress theme versions ≤2.18 allows remote attackers to include and execute arbitrary PHP files from the server's filesystem, potentially leading to remote code execution, credential theft, or full site compromise. EPSS probability of 0.15% indicates relatively low observed exploitation despite network attack vector. Patchstack security audit identified the vulnerability in PHP file handling routines where inadequate validation enables path traversal to sensitive files.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Bonbon WordPress theme through version 1.6 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Reported by Patchstack audit team with a 0.15% EPSS score (low exploitation probability), this vulnerability allows unauthenticated network-based attacks despite high complexity requirements. No active exploitation confirmed via CISA KEV, though the LFI attack pattern is well-understood by attackers. PHP-based themes with improper include/require statement controls are common attack surfaces in WordPress environments.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX EmojiNation WordPress theme versions through 1.0.12 allows remote attackers to read arbitrary files on the web server without authentication. Despite a CVSS score of 8.1, EPSS probability of 0.15% (36th percentile) suggests limited real-world exploitation activity. Patchstack database reports this as a PHP local file inclusion vulnerability with information disclosure impact, indicating attackers can access sensitive configuration files, credentials, or source code to facilitate subsequent attacks.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion vulnerability in ThemeREX MoneyFlow WordPress theme version 1.0 and earlier enables remote attackers to read arbitrary files from the server filesystem and potentially execute PHP code. Reported by Patchstack security researchers, this vulnerability exploits improper validation of file paths in PHP include/require statements. With EPSS exploitation probability at 0.15% (36th percentile), widespread exploitation is not yet observed, though the network-accessible attack vector combined with high confidentiality, integrity, and availability impacts warrants immediate patching for sites using this theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Kayon WordPress theme versions through 1.3 enables remote attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite network-reachable attack vector (CVSS AV:N), exploitation requires high complexity conditions (AC:H) without authentication, resulting in a moderate EPSS score of 0.15% (36th percentile). Patchstack database lists this as an actively tracked vulnerability affecting WordPress installations, though no CISA KEV listing indicates limited widespread exploitation at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the Motorix WordPress theme versions 1.6 and earlier permits remote attackers to include and execute arbitrary PHP files on the server, despite high attack complexity. The vulnerability stems from improper validation of file paths in include/require statements. With EPSS exploitation probability at 0.15% (low percentile 36%), this appears to be a targeted WordPress theme vulnerability rather than widespread attack vector, though the CVSS score of 8.1 reflects the potential for complete system compromise if successfully exploited.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Stargaze WordPress theme versions through 1.5 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Reported by Patchstack security audit team. EPSS probability of 0.15% suggests low widespread exploitation likelihood, though network-accessible vector and high impact ratings warrant attention for sites using this theme. No active exploitation confirmed via CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in axiomthemes Helion WordPress theme through version 1.1.12 enables remote attackers to read arbitrary files and potentially execute malicious code through improper filename validation in PHP include/require statements. While CVSS scores 8.1 (High) with network vector and no authentication required, attack complexity is rated High and EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world weaponization. The CWE-98 classification indicates classic PHP file inclusion vulnerabilities where attacker-controlled input influences file paths in include() or require() functions. Patchstack database lists this as both LFI and information disclosure, indicating read access is confirmed while remote code execution depends on exploitation chain completeness.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion (LFI) in ThemeREX Nuts WordPress theme versions through 1.10 allows remote attackers to read arbitrary files from the web server filesystem without authentication. While CVSS rates this 8.1 High, EPSS exploitation probability is low (0.15%, 36th percentile), suggesting limited active targeting. No CISA KEV listing or public exploit code identified at time of analysis, indicating this remains a theoretical risk requiring specific attack conditions despite the network-accessible vector.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion in ThemeREX Foodie WordPress theme through version 1.14 allows remote unauthenticated attackers to read arbitrary files on the server and potentially execute malicious code. Despite the high CVSS score of 8.1, real-world exploitation likelihood remains low (EPSS 0.15%, 36th percentile) with no active exploitation confirmed at time of analysis. The vulnerability stems from improper validation of file paths in PHP include/require statements, classified as CWE-98.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Craftis WordPress theme versions through 1.2.8 enables remote attackers to read arbitrary server files and potentially achieve remote code execution via PHP file inclusion. The vulnerability stems from improper validation of filenames in include/require statements, allowing traversal to sensitive files. EPSS score of 0.15% indicates low observed exploitation probability, and no active exploitation has been confirmed via CISA KEV. Patchstack has documented this vulnerability affecting all installations prior to version 1.2.9.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion vulnerability in ThemeREX Chroma WordPress theme versions ≤1.11 allows remote attackers to read arbitrary files from the web server filesystem through improper filename validation in PHP include/require statements. Despite high CVSS 8.1, EPSS probability is low (0.15%, 36th percentile) and no active exploitation is confirmed. Patchstack has documented this vulnerability, indicating professional security researcher awareness and likely forthcoming vendor response.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in the Manoir WordPress theme version 1.11 and earlier allows remote unauthenticated attackers to read arbitrary files on the server through improper validation of file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates low real-world exploitation probability (0.15%, 36th percentile), suggesting this is likely a targeted risk rather than widespread threat. Patchstack database confirms the vulnerability exists but no active exploitation (KEV) or public proof-of-concept has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion vulnerability in ThemeREX Global Logistics WordPress theme through version 3.20 allows remote attackers to include arbitrary local files without authentication. Exploitation requires high complexity but no user interaction. With EPSS score of 0.15% (36th percentile), real-world exploitation probability remains low despite theoretical remote attack vector and lack of authentication requirements. Vulnerability identified by Patchstack audit team with public advisory available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Green Thumb plugin version 1.1.12 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames used in include/require statements, enabling file disclosure without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion handling in ThemeREX Luxury Wine plugin version 1.1.14 and earlier enables attackers to read arbitrary files on affected servers through local file inclusion attacks. The vulnerability requires network access but no authentication, allowing extraction of sensitive configuration data and source code. No patch is currently available for this high-severity issue affecting PHP-based WordPress installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX ShiftCV versions up to 3.0.14 are vulnerable to local file inclusion through improper input validation in PHP include/require statements, allowing attackers to read arbitrary files on the affected server. With a CVSS score of 8.1, this vulnerability enables high-impact attacks including information disclosure and potential code execution, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Translogic through version 1.2.11 contains a local file inclusion vulnerability in PHP that enables attackers to read and potentially execute arbitrary files on affected systems without authentication. The improper handling of file include/require statements allows an attacker to manipulate filename inputs and access sensitive server files. No patch is currently available, and exploitation requires specific conditions (network accessible, no user interaction required).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion handling in ThemeREX Kratz plugin versions 1.0.12 and earlier enables attackers to read arbitrary files from affected systems through a local file inclusion vulnerability. An unauthenticated attacker can exploit this over the network to access sensitive configuration files and other protected data without authentication. No patch is currently available for this high-severity vulnerability affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Gridiron through version 1.0.14 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server by manipulating include/require statements. The vulnerability requires specific conditions to be met (AC:H) but could lead to full system compromise including confidentiality and integrity breaches. No patch is currently available, and exploitation remains unlikely in the near term based on current threat metrics.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Yottis plugin version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that permits unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion parameters. The vulnerability requires specific conditions to exploit (high attack complexity) but could lead to complete system compromise including confidential data exposure and code execution. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Scientia plugin versions 1.2.4 and earlier contain a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. With no patch currently available, affected PHP installations running vulnerable versions of Scientia are at immediate risk.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX DroneX versions up to 1.1.12 contain a PHP local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability stems from improper validation of file paths in include/require statements, potentially enabling information disclosure or further system compromise. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Coinpress through version 1.0.14 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated attackers to read arbitrary files from the affected server. The vulnerability has a high severity rating (CVSS 8.1) and currently lacks a security patch. Attackers can leverage this flaw to access sensitive configuration files, credentials, and other protected data accessible to the web server process.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Yungen plugin versions 1.0.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this weakness to access sensitive information or potentially execute code by manipulating filename parameters in include/require statements. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Vixus through version 1.0.16 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this by crafting malicious requests to access sensitive files and potentially execute arbitrary code. No patch is currently available, and exploitation requires specific conditions that increase the attack complexity.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Maxify through version 1.0.16 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. Currently no patch is available to remediate this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Lingvico through version 1.0.14 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files on the affected system. The vulnerability requires network access but no authentication or user interaction, allowing an attacker to potentially disclose sensitive server information. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Justitia through version 1.1.0 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper control of file inclusion statements. This vulnerability has a CVSS score of 8.1, indicating high severity with potential for both information disclosure and system compromise. No patch is currently available, leaving affected installations vulnerable to exploitation.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Tediss versions 1.2.4 and earlier contain a local file inclusion vulnerability in their PHP include/require functionality, allowing unauthenticated attackers to read arbitrary files from the server. The vulnerability requires specific conditions to exploit (high complexity) but carries high impact including potential information disclosure and code execution. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Aldo through version 1.0.10 enables unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. The vulnerability allows remote attackers to access sensitive system files and potentially execute code with no authentication required. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Meals & Wheels plugin version 1.1.12 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other protected content without authentication. No patch is currently available, and exploitation difficulty is moderate with a CVSS score of 8.1 indicating high impact on confidentiality, integrity, and availability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Avventure versions 1.1.12 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive information. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX ConFix version 1.013 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive configuration files or source code. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Quanzo version 1.0.10 and earlier contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files through improper handling of include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Equadio versions 1.1.3 and earlier contain a local file inclusion vulnerability in their PHP implementation that allows attackers to manipulate filename parameters in include/require statements to read arbitrary files from the system. An attacker with network access can exploit this vulnerability to disclose sensitive information such as configuration files or source code. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX The Qlean WordPress theme through version 2.12 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server. The vulnerability requires no authentication and can be exploited remotely to access sensitive configuration files and source code. While no patch is currently available, the relatively low EPSS score suggests limited real-world exploitation at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX OsTende versions up to 1.4.3 contain a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files on the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and application data. No patch is currently available for this issue.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in ThemeREX Humanum through version 1.1.4 enables attackers to read arbitrary files on the server by exploiting improper input validation in file inclusion mechanisms. The vulnerability requires network access but no authentication or user interaction, allowing complete compromise of confidentiality and integrity with high impact. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

RadiusTheme Metro versions 2.13 and earlier are susceptible to local file inclusion through improper input validation in PHP include/require statements, enabling attackers to read arbitrary files on the server. An unauthenticated remote attacker can exploit this vulnerability over the network to access sensitive information or potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in Aora through version 1.3.15 enables unauthenticated remote attackers to read arbitrary files on affected systems through improper validation of file inclusion parameters. The vulnerability carries a CVSS score of 8.1 with high impact across confidentiality, integrity, and availability, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes TopScorer - Sports WordPress Theme topscorer is affected by php remote file inclusion (CVSS 8.1).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The AncoraThemes Apollo | Night Club, DJ Event WordPress Theme through version 1.3.1 contains a PHP local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server. This CWE-98 weakness in improper filename control could enable attackers to access sensitive configuration files or other protected data. No patch is currently available for affected installations.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Buzz Stone WordPress theme through version 1.0.2 contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files on the affected server. With network access and no user interaction required, an attacker can leverage improper input validation in file inclusion functions to access sensitive data or potentially execute code. No patch is currently available for this vulnerability affecting WordPress installations using the vulnerable theme versions.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Chronicle WordPress theme version 1.0 and earlier contains a local file inclusion vulnerability in its PHP code that allows unauthenticated attackers to read arbitrary files from the affected server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, or other confidential data stored on the web server. Currently, no patch is available and the vulnerability has a 0.2% probability of exploitation according to EPSS scoring.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Consultor WordPress theme through version 1.2.4 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files on the server. An attacker can exploit this weakness to access sensitive configuration files, database credentials, and other confidential data. Currently no patch is available, leaving all affected installations vulnerable.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Ekoterra WordPress theme through version 1.0.0 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) stems from improper validation of file paths in include/require statements, enabling attackers to access sensitive configuration files and other protected data. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in dan_fisher Alchemists versions through 4.6.0 allows unauthenticated remote attackers to read arbitrary files on affected servers through improper handling of file inclusion statements. The vulnerability requires specific network conditions to exploit but carries high impact potential across confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The AC Services WordPress theme through version 1.2.5 contains a local file inclusion vulnerability in PHP that enables unauthenticated remote attackers to read arbitrary files on affected servers. This high-severity flaw allows attackers to access sensitive configuration files and potentially extract credentials or other confidential data. WordPress installations using this theme should upgrade immediately as no patch is currently available.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The CasaMia WordPress theme through version 1.1.2 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. This high-severity flaw (CVSS 8.1) could expose sensitive configuration files, database credentials, and other confidential data stored on affected WordPress installations. No patch is currently available for this vulnerability.

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion handling in PHP-based The Issue theme versions 1.6.11 and earlier enables attackers to include and execute arbitrary local files, potentially leading to remote code execution. An unauthenticated attacker can exploit this vulnerability over the network to read sensitive files or execute malicious PHP code. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The FindAll plugin for PHP through version 1.4 contains a local file inclusion vulnerability that enables attackers to read arbitrary files from the affected system through improper input validation on file inclusion statements. An unauthenticated remote attacker can exploit this vulnerability to access sensitive files and potentially execute arbitrary code with the privileges of the web server process. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Felizia through version 1.3.4 enables unauthenticated attackers to read arbitrary files from the affected server through improper input validation on file inclusion parameters. The vulnerability carries high severity with a CVSS score of 8.1 and impacts confidentiality, integrity, and availability of affected systems. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Etchy through version 1.0 contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of filename parameters in include/require statements, allowing directory traversal attacks to access sensitive system files. While a patch is not currently available, the low EPSS score suggests limited real-world exploitation likelihood at this time.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Wanderland versions 1.5 and earlier contain a local file inclusion vulnerability in PHP that enables attackers to read arbitrary files from the affected server without authentication. The vulnerability stems from improper validation of file paths in include/require statements, allowing an unauthenticated remote attacker to access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Elated-Themes Askka version 1.0 and earlier allows unauthenticated remote attackers to read arbitrary files from the affected server through improper validation of include/require statements. The vulnerability carries high severity with potential for information disclosure and system compromise. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Hoverex versions up to 1.5.10 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker with network access can exploit this to disclose sensitive configuration files, source code, or other critical data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Don Peppe WordPress theme version 1.3 and earlier contains a local file inclusion vulnerability in its file handling mechanism that could allow an attacker to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data. Currently, no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Select-Themes Prowess version 1.8.1 and earlier contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse directories and access sensitive data. No patch is currently available for this high-severity vulnerability (CVSS 8.1).

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ThemeREX Alliance versions up to 3.1.1 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the server through improper handling of filename parameters in include/require statements. With a CVSS score of 8.1, this vulnerability enables attackers to access sensitive system files and potentially execute code depending on server configuration. No patch is currently available for affected versions.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

LaunchandSell Tribe plugin for PHP versions through 1.7.3 contains a local file inclusion vulnerability that allows unauthenticated remote attackers to read arbitrary files on the server. The flaw stems from improper validation of filenames in include/require statements, enabling attackers to access sensitive data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Elated-Themes Zentrum version 1.0 and earlier contains a local file inclusion vulnerability in its PHP file handling that enables attackers to read arbitrary files from the server without authentication. The high CVSS score of 8.1 reflects the potential for complete compromise of confidentiality and integrity, though exploitation requires specific conditions. No patch is currently available for affected installations.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Green Planet through version 1.1.14 allows unauthenticated attackers to read arbitrary files on affected servers by manipulating include/require statements in PHP. This CWE-98 vulnerability carries a CVSS score of 8.1 with high impact on confidentiality and integrity, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Playa versions up to 1.3.9 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected server. The flaw stems from improper validation of file paths in include/require statements, enabling attackers to traverse directories and access sensitive system files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Elated-Themes Helvig through version 1.0 enables unauthenticated remote attackers to read arbitrary files from affected systems. The vulnerability stems from improper control of filename parameters in PHP include/require statements, allowing attackers to traverse the filesystem and access sensitive data. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

ElectroServ through version 1.3.2 contains a local file inclusion vulnerability in its PHP-based file handling that enables unauthenticated attackers to read arbitrary files from the server. An attacker can exploit this weakness over the network without user interaction to access sensitive data or potentially execute code through log poisoning techniques. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Crown Art through version 1.2.11 enables unauthenticated remote attackers to read arbitrary files from the affected server through improper handling of include/require statements. This vulnerability carries a high CVSS score of 8.1 and allows potential access to sensitive configuration files and application data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in AncoraThemes CloudMe through version 1.2.2 enables unauthenticated attackers to read arbitrary files on affected systems through improper filename validation in include/require statements. The high CVSS score of 8.1 reflects the potential for confidentiality and integrity compromise, though no patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Woopy through version 1.2 by AncoraThemes contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files from the affected system. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to traverse the file system and access sensitive data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Wabi-Sabi theme version 1.2 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files on the server through improper handling of file inclusion parameters. An attacker can exploit this to access sensitive configuration files, database credentials, and other confidential data stored on the affected WordPress installation. No patch is currently available.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes Verdure WordPress theme version 1.6 and earlier contains an improper file inclusion vulnerability that enables attackers to read arbitrary files from the affected server without authentication. The flaw in the theme's include/require statement handling allows local and remote file inclusion attacks, potentially exposing sensitive configuration files and other critical data. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

The Tooth Fairy WordPress theme through version 1.16 contains a local file inclusion vulnerability in its PHP file handling that allows attackers to read arbitrary files from the server. An unauthenticated remote attacker can exploit this by manipulating file inclusion parameters to access sensitive data or potentially execute code. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes GoTravel versions 2.1 and earlier contain a local file inclusion vulnerability in PHP file handling that allows unauthenticated attackers to read arbitrary files from the affected server. The vulnerability stems from improper input validation on filename parameters used in PHP include/require statements, enabling attackers to traverse the filesystem and access sensitive data without authentication.

PHP LFI Information Disclosure
NVD
Prev Page 4 of 14 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy