Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito bw-petito allows PHP Local File Inclusion.This issue affects Petito: from n/a through < 1.6.6.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Petito WordPress theme contains a flaw that lets attackers control the filename used in a PHP include/require statement. This lack of proper input validation allows the inclusion of arbitrary local files, which can lead to disclosure of sensitive files or execution of malicious code if a PHP file is included. The issue is cataloged as CWE‑98, describing uncontrolled inclusion vulnerabilities.

Affected Systems

BZOTheme Petito releases prior to 1.6.6 are affected. Any installation of Petito version 1.6.5 or earlier remains vulnerable until updated.

Risk and Exploitability

The CVSS score of 8.1 classifies this vulnerability as high severity, indicating that successful exploitation could provide significant access or control over the affected site. The EPSS score is below 1%, indicating a very low current probability of exploitation in the wild, though the risk persists for users with vulnerable installations. There is no listing in CISA’s KEV catalog. An attacker would typically craft a request that points the insecure include/require to a chosen local path; if the path resolves to a PHP source file or a file that the application can interpret as code, the attacker can execute arbitrary PHP, effectively taking control of the application.

Generated by OpenCVE AI on May 1, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Petito theme to version 1.6.6 or later.
  • If an update cannot be applied, restrict inclusion to a whitelist of safe directories or remove the insecure include/require logic.
  • Configure the web server or .htaccess to prevent PHP execution in directories that should not contain executable code, such as uploads or theme subfolders.

Generated by OpenCVE AI on May 1, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17483 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito allows PHP Local File Inclusion. This issue affects Petito: from n/a through 1.6.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito allows PHP Local File Inclusion.This issue affects Petito: from n/a before 1.6.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito bw-petito allows PHP Local File Inclusion.This issue affects Petito: from n/a through < 1.6.6.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito allows PHP Local File Inclusion. This issue affects Petito: from n/a through 1.6.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito allows PHP Local File Inclusion.This issue affects Petito: from n/a before 1.6.6.
Title WordPress Petito <= 1.6.2 - Local File Inclusion Vulnerability WordPress Petito theme < 1.6.6 - Local File Inclusion vulnerability

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Petito allows PHP Local File Inclusion. This issue affects Petito: from n/a through 1.6.2.
Title WordPress Petito <= 1.6.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.200Z

Reserved: 2025-02-21T16:46:11.506Z

Link: CVE-2025-27362

cve-icon Vulnrichment

Updated: 2025-06-10T13:34:50.547Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:35.663

Modified: 2026-04-23T15:26:26.770

Link: CVE-2025-27362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses