Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename used in PHP's include/require statements in the Brook theme enables a local file inclusion vulnerability. An attacker could supply a crafted input that causes the theme to include an arbitrary file on the server, potentially exposing sensitive configuration, database credentials, or other confidential data. Depending on the context, this LFI flaw could also allow execution of arbitrary PHP code, leading to full compromise of the WordPress site. The weakness is identified as CWE‑98.

Affected Systems

The Brook WordPress theme from ThemeMove, version 2.9.0 and earlier, is affected. Users running any installation of the theme with these or older releases are susceptible until the issue is patched.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is considered high severity, but the EPSS score of less than 1% suggests that successful exploitation is unlikely in the wild at present. The flaw is not listed in the CISA KEV catalog. Exploitation would probably involve manipulating a user‑controlled parameter that the theme uses to build the include path, such as a GET or POST value. No known public exploits have been reported, and mitigations are available through a patch or by restricting the inclusion logic.

Generated by OpenCVE AI on May 2, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Brook theme to a version newer than 2.9.0.
  • If an upgrade is not immediately possible, restrict the include path to a trusted directory and validate any user input to ensure it does not reference files outside that directory.
  • Disable PHP directives that allow remote file inclusion by setting allow_url_fopen and allow_url_include to Off in the server configuration.

Generated by OpenCVE AI on May 2, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through <= 2.9.0.
Title WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability WordPress Brook - Agency Business Creative theme <= 2.9.0 - Local File Inclusion vulnerability

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove brook
CPEs cpe:2.3:a:thememove:brook:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove brook

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Brook - Agency Business Creative brook allows PHP Local File Inclusion.This issue affects Brook - Agency Business Creative: from n/a through <= 2.8.9.
Title WordPress Brook - Agency Business Creative theme <= 2.8.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thememove Brook
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.525Z

Reserved: 2025-12-10T03:28:18.626Z

Link: CVE-2025-14430

cve-icon Vulnrichment

Updated: 2026-01-08T15:02:52.689Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:46.333

Modified: 2026-04-27T17:16:25.003

Link: CVE-2025-14430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses