Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3.
Published: 2026-01-08
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Moody theme for WordPress contains a flaw where user input is used directly in PHP include/require statements without proper validation of the file name. This improper control of filenames allows an attacker to manipulate the include path and request arbitrary files on the server, potentially leading to sensitive data disclosure or, if an attacker can inject executable code, remote code execution. The weakness is classified as CWE-98.

Affected Systems

ThemeMove’s Moody theme running on WordPress installations is affected. All versions up to and including 2.7.3 are vulnerable; higher numbered releases are not impacted as they have removed the insecure include logic.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity of this local file inclusion flaw. The EPSS score is under 1 %, suggesting a low current probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is benign, such as a crafted request that passes a specially crafted file path to the theme’s PHP code. If an attacker can place malicious content under a directory the theme can read, or if the include points to a scriptable file, the impact could extend to full remote code execution. Administrators should treat this as a high‑risk issue requiring timely patching.

Generated by OpenCVE AI on May 2, 2026 at 00:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Moody theme to the latest release (≥ 2.7.4) which removes the insecure include logic.
  • If an upgrade is not immediately possible, modify the theme files to enforce strict path validation or disable the problematic include parameter entirely.
  • Apply file permission restrictions to prevent the web server from reading sensitive directories, and configure a web‑application firewall to block requests that attempt to include arbitrary files.

Generated by OpenCVE AI on May 2, 2026 at 00:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 27 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove moody
CPEs cpe:2.3:a:thememove:moody:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove moody

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Moody tm-moody allows PHP Local File Inclusion.This issue affects Moody: from n/a through <= 2.7.3.
Title WordPress Moody theme <= 2.7.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thememove Moody
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:04.821Z

Reserved: 2025-01-07T21:03:24.133Z

Link: CVE-2025-22707

cve-icon Vulnrichment

Updated: 2026-01-08T15:00:19.818Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T10:15:47.473

Modified: 2026-04-27T19:16:11.583

Link: CVE-2025-22707

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:00:15Z

Weaknesses