Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore bw-printxtore allows PHP Local File Inclusion.This issue affects PrintXtore: from n/a through < 1.7.8.
Published: 2025-06-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames used in PHP include/require statements in the PrintXtore theme permits local file inclusion. An attacker can supply crafted input that directs the PHP interpreter to include arbitrary files from the server’s filesystem, potentially exposing sensitive configuration files or enabling the execution of malicious code. This weakness leads to a compromise of the application’s integrity and may allow further exploitation such as remote code execution if the included files contain executable code.

Affected Systems

The vulnerability exists in the WordPress PrintXtore theme supplied by BZOTheme for all versions below 1.7.8. WordPress installations that have this theme installed and have not applied patch version 1.7.8 or later are affected.

Risk and Exploitability

The CVSS v3 base score of 8.1 classifies this as a high‑severity flaw. The EPSS score of less than 1% indicates that the exploit probability is very low, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is a publicly accessible WordPress site where an attacker can inject a malicious filename into a request that triggers the theme’s inclusion logic. While the reported impact is local file inclusion, the potential for subsequent code execution makes the risk significant for administrators of affected installations.

Generated by OpenCVE AI on May 1, 2026 at 07:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PrintXtore theme version (1.7.8 or newer) to eliminate the vulnerability.
  • If an upgrade cannot be performed immediately, remove or disable any plugins or configuration settings that allow arbitrary file inclusion by the theme, ensuring the theme never receives user‑supplied filenames.
  • Restrict the PHP include_path or use open_basedir to prevent the theme from accessing sensitive directories, and validate or whitelist any paths that may be included by the theme logic.

Generated by OpenCVE AI on May 1, 2026 at 07:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19265 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion. This issue affects PrintXtore: from n/a through 1.7.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion.This issue affects PrintXtore: from n/a before 1.7.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore bw-printxtore allows PHP Local File Inclusion.This issue affects PrintXtore: from n/a through < 1.7.8.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion. This issue affects PrintXtore: from n/a through 1.7.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion.This issue affects PrintXtore: from n/a before 1.7.8.
Title WordPress PrintXtore theme <= 1.7.5 - Local File Inclusion Vulnerability WordPress PrintXtore theme < 1.7.8 - Local File Inclusion vulnerability

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion. This issue affects PrintXtore: from n/a through 1.7.5.
Title WordPress PrintXtore theme <= 1.7.5 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:51.595Z

Reserved: 2025-03-11T08:10:12.305Z

Link: CVE-2025-28946

cve-icon Vulnrichment

Updated: 2025-06-27T14:04:56.181Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:31.950

Modified: 2026-04-23T15:26:39.323

Link: CVE-2025-28946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses