CVE-2026-57791 in Brook Plugin
Summary
by MITRE • 07/13/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
The vulnerability described represents a critical remote file inclusion flaw that exists within the ThemeMove Brook theme for WordPress, specifically affecting versions ranging from the initial release through version 2.9.0. This weakness enables malicious actors to manipulate include or require statements in PHP code, potentially allowing unauthorized remote code execution and complete system compromise. The vulnerability stems from insufficient validation of user-supplied input that is directly used in file inclusion operations, creating an exploitable path for attackers to load arbitrary files from remote servers.
The technical implementation of this vulnerability occurs when the theme fails to properly sanitize or validate filename parameters passed to PHP include functions such as include(), require(), include_once(), or require_once(). When user input flows directly into these statements without adequate filtering or validation, attackers can inject malicious file paths that point to remote servers hosting attacker-controlled content. This pattern aligns with CWE-88, which describes improper neutralization of special elements used in an expression, and more specifically with CWE-94, which covers the execution of arbitrary code or commands.
The operational impact of this vulnerability extends beyond simple data theft or service disruption, as it can enable full system compromise through remote code execution. Attackers can leverage this flaw to upload malicious files, establish backdoors, gain persistent access to affected systems, and potentially move laterally within network environments. The vulnerability is particularly dangerous because it allows attackers to execute arbitrary PHP code on the target server with the privileges of the web application, potentially leading to complete system takeover. This type of vulnerability maps directly to ATT&CK technique T1190, which describes exploiting vulnerabilities in remote services, and T1059, which covers command and scripting interpreter usage.
Mitigation strategies for this vulnerability require immediate action including upgrading to version 2.9.1 or later where the issue has been patched, implementing proper input validation and sanitization of all user-supplied data before it reaches include statements, and employing web application firewalls to detect and block suspicious file inclusion patterns. Organizations should also conduct comprehensive security assessments of their WordPress installations to identify other potential vulnerabilities in themes and plugins, as this type of flaw often indicates broader security weaknesses in the application architecture. Additionally, implementing proper access controls and limiting file inclusion capabilities through PHP configuration settings can provide additional defense layers against exploitation attempts.