CVE-2026-24531 in Prowess Plugin
Summary
by MITRE • 01/23/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion.This issue affects Prowess: from n/a through <= 2.3.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/23/2026
The CVE-2026-24531 vulnerability represents a critical PHP Remote File Inclusion flaw that resides within the Select-Themes Prowess prowess theme, specifically impacting versions through 2.3. This vulnerability stems from improper control of filename parameters in include/require statements, creating a pathway for attackers to execute arbitrary code on affected systems. The flaw manifests when the application fails to properly validate or sanitize user-supplied input that is subsequently used in dynamic include operations, allowing malicious actors to manipulate the include path and load arbitrary files from remote servers or local system directories.
The technical implementation of this vulnerability aligns with CWE-98, which specifically addresses Improper Control of Filename for Include/Require Statement, and falls under the broader category of CWE-88, which covers Improper Neutralization of Argument Delimiters in a Command. The vulnerability operates by accepting user-controllable parameters that are directly incorporated into PHP include/require statements without adequate validation or sanitization, enabling attackers to inject malicious file paths that can lead to local or remote file inclusion. This flaw specifically affects the Prowess theme's handling of dynamic file inclusion operations where theme functionality relies on external parameter inputs to determine which files should be included during execution.
From an operational impact perspective, this vulnerability creates significant security risks for affected WordPress installations, as it allows remote code execution capabilities that can be leveraged to compromise entire web servers. Attackers can exploit this weakness to upload and execute malicious PHP code, potentially gaining full administrative control over affected websites, leading to data breaches, defacement, or serving as a foothold for further attacks within network infrastructure. The vulnerability's impact is particularly severe because it affects the core theme functionality, making it difficult for administrators to isolate and remediate the issue without potentially affecting other theme features or website operations.
The attack vector for this vulnerability typically involves sending malicious parameters to specific endpoints within the Prowess theme that trigger the vulnerable include operations. This often occurs through URL parameters or form inputs that are processed by the theme's code, where attackers can manipulate the include path to point to malicious files hosted on remote servers. The ATT&CK framework categorizes this as a technique under T1190 - Exploit Public-Facing Application, where attackers target web applications to gain initial access to systems. Organizations should implement immediate mitigations including updating to patched versions of the Prowess theme, implementing proper input validation, and configuring web application firewalls to detect and block suspicious include operations. Additionally, security monitoring should be enhanced to detect anomalous file inclusion patterns that may indicate exploitation attempts, and regular security audits should be conducted to identify similar vulnerabilities in other theme or plugin components.