Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of filenames used in PHP include/require statements. An attacker can supply crafted input that causes the theme to include arbitrary local files on the server, potentially exposing sensitive configuration files, credentials, or other confidential data. The impact is a theft of sensitive information and possible compromise of the site’s integrity, as attackers gain read access to files on the web server.

Affected Systems

WordPress sites that use the AeroLand theme from ThemeMove. Versions vulnerable are all releases up to and including 1.6.6; newer releases are not affected.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Inferred attack vectors include direct manipulation of URL parameters or form fields that the theme passes to include/require, allowing the attacker to point to arbitrary files on the server. The threat remains significant because read access to critical files can lead to credential theft or further exploitation of the site.

Generated by OpenCVE AI on May 2, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AeroLand theme to version 1.6.7 or later when it becomes available.
  • If an upgrade cannot be performed immediately, remove the AeroLand theme from the site or switch to a trusted default theme to eliminate the risk.
  • Implement file‑access checks to ensure that user‑supplied file names are not passed to include/require statements.
  • Deploy a Web Application Firewall rule that blocks requests attempting to manipulate file include paths.

Generated by OpenCVE AI on May 2, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove aeroland
CPEs cpe:2.3:a:thememove:aeroland:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove aeroland

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove AeroLand aeroland allows PHP Local File Inclusion.This issue affects AeroLand: from n/a through <= 1.6.6.
Title WordPress AeroLand theme <= 1.6.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thememove Aeroland
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.537Z

Reserved: 2025-12-10T03:27:45.517Z

Link: CVE-2025-14429

cve-icon Vulnrichment

Updated: 2026-01-08T15:03:23.819Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:46.200

Modified: 2026-04-27T17:16:24.870

Link: CVE-2025-14429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses