Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine allows PHP Local File Inclusion.

This issue affects Oshine: from n/a before 7.3.0.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Oshine theme contains an improper control of filename for include/require statements, allowing an attacker to specify arbitrary file paths that the PHP engine will read or execute. This flaw, identified as CWE-98, could enable the disclosure of sensitive files or, if executable PHP files are accessed, remote code execution. The description does not detail the exact input mechanism, but the likely attack vector is via a user-provided parameter that influences the include path within the theme's code.

Affected Systems

The defect affects the WordPress Oshine theme developed by brandexponents. All releases prior to version 7.3.0 are vulnerable; versions 7.3.0 and newer have the issue fixed.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The CVE description does not disclose the exact attack vector, and while CWE-98 implies that an attacker may manipulate input that determines include paths, the specific mechanism for triggering the flaw is not detailed in the public evidence.

Generated by OpenCVE AI on May 2, 2026 at 00:55 UTC.

Remediation

Vendor Solution

Update the WordPress Oshine theme to the latest available version (at least 7.3.0).

OpenCVE Recommended Actions

  • Update the WordPress Oshine theme to version 7.3.0 or newer to eliminate the LFI flaw.
  • If updating immediately is not possible, restrict web access to the theme directory and disable direct execution of PHP files within that directory to mitigate risk of remote code execution.
  • Audit other installed themes and plugins for similar include/require controls and apply vendor patches or updates as soon as available.

Generated by OpenCVE AI on May 2, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References

Wed, 29 Apr 2026 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine allows PHP Local File Inclusion. This issue affects Oshine: from n/a before 7.3.0.
Title WordPress Oshine theme <= 7.2.7 - Local File Inclusion vulnerability WordPress Oshine theme < 7.3.0 - Local File Inclusion vulnerability
References

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in brandexponents Oshine oshin allows PHP Local File Inclusion.This issue affects Oshine: from n/a through <= 7.2.7.
Title WordPress Oshine theme <= 7.2.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T11:37:56.092Z

Reserved: 2025-12-09T16:47:26.006Z

Link: CVE-2025-14359

cve-icon Vulnrichment

Updated: 2026-01-08T15:04:22.324Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:45.920

Modified: 2026-04-29T12:16:17.263

Link: CVE-2025-14359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses