Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wproyal News Magazine X news-magazine-x allows PHP Local File Inclusion.This issue affects News Magazine X: from n/a through <= 1.2.37.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filenames in a PHP Include/Require statement within the News Magazine X theme. It permits a PHP Local File Inclusion, allowing an attacker to read any file on the server that the web user can access, or to execute arbitrary code if a writable file such as a configuration or WordPress file is targeted. This weakness is catalogued as CWE-98, reflecting a lack of proper validation of file paths.

Affected Systems

WordPress installations that deploy the News Magazine X theme from the earliest available release through version 1.2.37 are susceptible to this flaw. The CVE notes that all releases up to and including 1.2.37 contain the vulnerability, and earlier versions may also be impacted but are not explicitly listed.

Risk and Exploitability

The CVSS score of 7.5 indicates a moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not flagged in the CISA KEV catalog. The likely attack vector is a web request that influences the include path — for example, a crafted URL parameter or form field that feeds into the include logic. Once the attacker can control the path, they may read sensitive files such as /wp-config.php or trigger code execution if a file with PHP code is placed in a writable location. Because the flaw is straightforward to exploit once discovered, the overall risk to affected sites remains significant.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the News Magazine X theme to the latest available release that follows version 1.2.37, which should contain the fix for the filename validation issue.
  • If an upgrade cannot be performed immediately, modify the theme’s file inclusion logic to restrict include paths to a hard‑coded whitelist of allowed files, ensuring that only intended resources can be loaded.
  • Deploy application‑level firewall rules that reject directory traversal patterns or other suspicious paths aimed at the theme’s include handlers.

Generated by OpenCVE AI on May 2, 2026 at 01:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24727 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Royal Themes News Magazine X allows PHP Local File Inclusion. This issue affects News Magazine X: from n/a through 1.2.37.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Royal Themes News Magazine X allows PHP Local File Inclusion. This issue affects News Magazine X: from n/a through 1.2.37. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wproyal News Magazine X news-magazine-x allows PHP Local File Inclusion.This issue affects News Magazine X: from n/a through <= 1.2.37.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Sat, 16 Aug 2025 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wp-royal-themes
Wp-royal-themes news Magazine X
Vendors & Products Wordpress
Wordpress wordpress
Wp-royal-themes
Wp-royal-themes news Magazine X

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Royal Themes News Magazine X allows PHP Local File Inclusion. This issue affects News Magazine X: from n/a through 1.2.37.
Title WordPress News Magazine X <= 1.2.35 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wp-royal-themes News Magazine X
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:34.362Z

Reserved: 2025-01-23T14:53:16.439Z

Link: CVE-2025-24766

cve-icon Vulnrichment

Updated: 2025-08-14T14:22:41.174Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:28.757

Modified: 2026-04-23T15:25:28.127

Link: CVE-2025-24766

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:15:06Z

Weaknesses