Description
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-11-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Premium Portfolio Features for Phlox theme plugin contains a local file inclusion flaw in the args[extra_template_path] parameter. An unauthenticated attacker can supply an arbitrary path to a PHP file, causing the server to include and execute that file. This enables the attacker to bypass access controls, read sensitive data, or run arbitrary PHP code, effectively compromising the affected WordPress installation.

Affected Systems

WordPress sites using averta’s Premium Portfolio Features for Phlox theme plugin, version 2.3.10 or earlier, remain vulnerable. Sites that have not upgraded beyond these versions are at risk.

Risk and Exploitability

The CVSS score of 8.1 reflects the high impact of remote code execution, while the EPSS score of less than 1% indicates a very low current exploitation probability. The vulnerability is not listed in CISA KEV, but it can be exploited through a simple HTTP request containing the malicious args[extra_template_path] value. An attacker does not need authentication but must have internet access to the site and the ability to reference a PHP file—either from the local filesystem or an uploaded one that can be included.

Generated by OpenCVE AI on April 22, 2026 at 11:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Premium Portfolio Features for Phlox theme plugin to version 2.4 or later to remove the LFI flaw.
  • Disable or remove the args[extra_template_path] parameter from the public query string, ensuring only privileged users can trigger template loading.
  • Block the upload of PHP files to the site’s upload directory by tightening file‑type restrictions or moving uploads outside the web root.
  • Configure PHP to disallow remote file inclusion by setting allow_url_include to Off and, if possible, enable safe_mode to mitigate future LFI attempts.

Generated by OpenCVE AI on April 22, 2026 at 11:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 06 Nov 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta phlox
Averta premium Portfolio Features For Phlox Theme
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta phlox
Averta premium Portfolio Features For Phlox Theme
Wordpress
Wordpress wordpress

Wed, 05 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 05 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title Premium Portfolio Features for Phlox theme <= 2.3.10 - Unauthenticated Local File Inclusion via args[extra_template_path]
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Averta Phlox Premium Portfolio Features For Phlox Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:33.660Z

Reserved: 2025-10-29T23:05:58.113Z

Link: CVE-2025-12497

cve-icon Vulnrichment

Updated: 2025-11-05T15:02:07.794Z

cve-icon NVD

Status : Deferred

Published: 2025-11-05T12:15:33.347

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses