Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9.
Published: 2025-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability occurs because the Grip theme allows an attacker to manipulate the filename used in a PHP include/require statement. The flaw could enable the execution of arbitrary PHP code or reading of sensitive files on the server. Because the underlying weakness is CWE-98, the attack can compromise confidentiality and integrity of the site and could lead to full compromise of the web application and underlying system.

Affected Systems

All publicly available versions of the Candid themes Grip theme from the first release through version 1.0.9 are affected. The issue consists of uncontrolled file paths in the theme’s code, which means any site running these versions is vulnerable until an updated theme is installed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity vulnerability. The EPSS score of less than 1 % shows that the probability of exploitation in the wild is low, and the issue is not currently listed in CISA’s KEV catalog. Nonetheless, attackers could exploit the flaw using a crafted URL or form input that points to sensitive server files or remote resources, with a threat vector that is likely local or web‑based. The risk is therefore moderate to high if the site is publicly exposed.

Generated by OpenCVE AI on May 1, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Grip theme (any release newer than 1.0.9).
  • If immediate upgrade is not possible, modify the theme code to validate or whitelist file paths used in include/require statements so that only trusted files can be loaded.
  • Disable the PHP setting allow_url_include and set stricter file permissions on the server to prevent reading of sensitive files; add WAF rules to block suspicious include attempts.

Generated by OpenCVE AI on May 1, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15752 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9.
History

Tue, 28 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip grip.This issue affects Grip: from n/a through <= 1.0.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9.
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip grip.This issue affects Grip: from n/a through <= 1.0.9.
References

Mon, 19 May 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 19 May 2025 18:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Candid themes Grip.This issue affects Grip: from n/a through 1.0.9.
Title WordPress Grip theme <= 1.0.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:39.805Z

Reserved: 2025-02-14T06:52:48.754Z

Link: CVE-2025-26735

cve-icon Vulnrichment

Updated: 2025-05-19T21:14:42.597Z

cve-icon NVD

Status : Deferred

Published: 2025-05-19T18:15:27.710

Modified: 2026-04-28T19:29:43.323

Link: CVE-2025-26735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:30:12Z

Weaknesses