CVE-2026-57800 in Overworld Plugin
Summary
by MITRE • 07/13/2026
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through <= 1.5.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/13/2026
The vulnerability described represents a critical improper control of filename for include/require statements in PHP applications, commonly classified as PHP Remote File Inclusion or Local File Inclusion (LFI). This weakness occurs when user-supplied input is directly incorporated into PHP include or require statements without proper sanitization or validation. The specific affected product Edge-Themes Overworld overworld version 1.5 and earlier contains this vulnerability that allows attackers to manipulate the file inclusion mechanism through malicious input parameters.
This security flaw falls under CWE-98, which specifically addresses Improper Control of Filename for Include/Require Statement, a direct descendant of the broader CWE-22 weakness related to Path Traversal attacks. The vulnerability enables an attacker to include arbitrary files on the target system, potentially leading to remote code execution or unauthorized data access. When user input is passed directly to functions like include(), require(), include_once(), or require_once() without proper validation, attackers can manipulate the file path to include malicious files stored on remote servers or local system files.
The operational impact of this vulnerability in the Edge-Themes Overworld context is severe as it allows for arbitrary code execution capabilities. An attacker could exploit this weakness by injecting malicious file paths into parameters that control file inclusion operations, potentially leading to complete system compromise. The vulnerability affects all versions up to and including 1.5, indicating a persistent issue within the product's codebase where input validation mechanisms are insufficient or completely absent when processing user-provided filenames for inclusion purposes.
This vulnerability directly maps to ATT&CK technique T1505.003 (Server-Side Include Injection) and potentially T1059.007 (Command and Scripting Interpreter: PowerShell) if the system allows for code execution through included files. The attack surface extends beyond simple file inclusion to potential privilege escalation if the web application runs with elevated permissions, as attackers can include system configuration files or other sensitive resources that may reveal additional attack vectors.
Mitigation strategies should focus on implementing strict input validation and sanitization mechanisms before any file inclusion operations occur. The recommended approach involves eliminating direct user input from include statements by using whitelisting techniques that only allow predefined valid filenames or paths. Additionally, developers should implement proper parameter validation, utilize absolute paths for included files, and consider employing PHP's safe_mode restrictions or disable_functions directives to limit dangerous operations. Regular security code reviews and automated static analysis tools should be employed to detect similar patterns in the codebase, while also ensuring that file inclusion operations are properly sandboxed within restricted directories. The most effective long-term solution involves replacing vulnerable include statements with secure alternatives such as configuration-based file selection or using a whitelist approach that validates all input against predetermined acceptable values before any file operations occur.
The vulnerability represents a fundamental flaw in input handling and access control that requires immediate attention through code-level remediation and comprehensive security testing. Organizations should implement continuous monitoring for similar patterns across their codebase and establish secure coding practices that prevent such issues from recurring in future development cycles.