Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2.
Published: 2025-03-10
Score: 9 Critical
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue is a PHP Remote File Inclusion vulnerability arising from improper control of the filename used in an include/require statement. An attacker can supply a crafted filename to cause the application to read and execute arbitrary local files, potentially enabling code execution. The vulnerability can be triggered without authentication, exposing the site to unauthenticated attackers.

Affected Systems

WordPress installations that use the Pixflow Massive Dynamic theme version 8.2 or earlier are affected. The flaw exists in all releases from the theme’s initial build through 8.2, meaning any site running one of those versions meets the CVE’s affected‑version definition.

Risk and Exploitability

The CVSS score of 9 indicates critical severity, and an EPSS score of 2% shows a moderate likelihood of exploitation. Although the flaw is not yet listed in CISA KEV, its absence does not diminish the risk. Exploitation requires an attacker to craft an HTTP request that causes the theme to resolve a path outside the intended directory; the payload is fully controlled by the attacker and can lead to arbitrary code execution.

Generated by OpenCVE AI on May 1, 2026 at 14:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Massive Dynamic theme to version 8.3 or later, which contains a patch for this flaw.
  • If an immediate upgrade is not possible, disable the theme or switch to a different WordPress theme that does not include the vulnerable code.
  • As a temporary safeguard, configure the web server so the PHP process cannot read or execute sensitive files, or deploy a web application firewall rule that blocks suspicious include requests.

Generated by OpenCVE AI on May 1, 2026 at 14:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7717 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Pixflow Massive Dynamic massive-dynamic.This issue affects Massive Dynamic: from n/a through <= 8.2.
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Mon, 10 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 10 Mar 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.
Title WordPress Massive Dynamic theme <= 8.2 - Unauthenticated Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Epc Massive Dynamic Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:43.871Z

Reserved: 2025-02-17T11:50:52.141Z

Link: CVE-2025-26916

cve-icon Vulnrichment

Updated: 2025-03-10T14:51:31.342Z

cve-icon NVD

Status : Deferred

Published: 2025-03-10T15:15:37.830

Modified: 2026-04-23T15:26:03.927

Link: CVE-2025-26916

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')