Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Navian theme for WordPress arises from improper control of filenames used in PHP include or require statements. This flaw allows an attacker to include local files, which may lead to arbitrary PHP code execution, compromising the confidentiality, integrity, and availability of the website.

Affected Systems

The affected product is the Navian theme by THEMELOGI. Versions from an unspecified earlier release up through 1.5.4 are vulnerable. All installations of WordPress that have this theme present the risk.

Risk and Exploitability

The CVSS score of 8.1 classifies the vulnerability as high severity. The EPSS score of less than 1% indicates a low probability of widespread exploitation at present. It is not currently listed in the CISA KEV catalog. Based on the description, the attacker can supply a crafted file path that is included via the theme’s PHP code, enabling local file inclusion. Successful exploitation could allow execution of arbitrary PHP code on the server.

Generated by OpenCVE AI on May 1, 2026 at 05:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Navian theme to a version newer than 1.5.4
  • If an upgrade is not possible, switch to a different theme or disable the Navian theme entirely
  • Configure the web server to restrict include paths and enforce strict file permissions to prevent unauthorized file inclusion

Generated by OpenCVE AI on May 1, 2026 at 05:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4.
Title WordPress Navian theme <= 1.5.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:10:57.530Z

Reserved: 2025-12-10T03:28:29.081Z

Link: CVE-2025-14431

cve-icon Vulnrichment

Updated: 2026-01-08T15:00:58.266Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:46.463

Modified: 2026-04-27T17:16:25.340

Link: CVE-2025-14431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses