Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore bw-giftxtore allows PHP Local File Inclusion.This issue affects GiftXtore: from n/a through < 1.7.7.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename for include/require statements in PHP, allowing local file inclusion. An attacker can manipulate the include path to read arbitrary files on the server or execute PHP code, leading to information disclosure or full remote code execution, as the flaw is categorized under CWE‑98.

Affected Systems

The BZOTheme GiftXtore WordPress theme is affected for all versions from the initial release through any version earlier than 1.7.7. This includes all installations using GiftXtore themes below version 1.7.7.

Risk and Exploitability

The CVSS score is 8.1, indicating a high severity. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through a crafted web request that triggers the vulnerable include logic; an attacker who can influence the request may gain access to local server files or execute code.

Generated by OpenCVE AI on May 1, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the GiftXtore theme to version 1.7.7 or later, which includes the fix for the local file inclusion issue.
  • Review any existing theme code for custom include or require statements and ensure proper input validation when constructing file paths.
  • Implement server‑side access controls and file‑system permissions to restrict PHP from reading sensitive files, and monitor web traffic for anomalous include attempts.

Generated by OpenCVE AI on May 1, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17484 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion. This issue affects GiftXtore: from n/a through 1.7.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion.This issue affects GiftXtore: from n/a before 1.7.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore bw-giftxtore allows PHP Local File Inclusion.This issue affects GiftXtore: from n/a through < 1.7.7.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion. This issue affects GiftXtore: from n/a through 1.7.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion.This issue affects GiftXtore: from n/a before 1.7.7.
Title WordPress GiftXtore <= 1.7.4 - Local File Inclusion Vulnerability WordPress GiftXtore theme < 1.7.7 - Local File Inclusion vulnerability

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme GiftXtore allows PHP Local File Inclusion. This issue affects GiftXtore: from n/a through 1.7.4.
Title WordPress GiftXtore <= 1.7.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.951Z

Reserved: 2025-03-11T08:09:09.176Z

Link: CVE-2025-28888

cve-icon Vulnrichment

Updated: 2025-06-09T17:17:37.771Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:35.857

Modified: 2026-04-23T15:26:32.283

Link: CVE-2025-28888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses