Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6.
Published: 2025-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Simen theme performs PHP include/require operations using filenames that are not properly controlled, a flaw classified as CWE‑98. This vulnerability can allow a malicious user to read any local file on the web server or, if a file that can be written by the attacker is included, execute arbitrary PHP code. The CVE explicitly states the issue results in local file inclusion rather than remote inclusion.

Affected Systems

WordPress installations that use the Simen theme (Snstheme Snssimen) version 4.6 or earlier. All releases up to and including 4.6 contain the flaw; later releases have not been confirmed to be affected.

Risk and Exploitability

The CVSS score of 8.1 signifies a high severity vulnerability, while the EPSS score of less than 1% indicates a low probability of exploitation in the wild. The issue is not listed in the CISA KEV catalog, suggesting no known public exploit exists at this time. Based on the description, it is inferred that the most likely attack vector involves a crafted request to the theme’s front‑end that supplies a user‑controlled filename to a vulnerable include/require call, though the CVE does not specify the exact trigger mechanism. Once exploited, the attacker could read sensitive files or execute server‑side code without needing privileged access.

Generated by OpenCVE AI on May 1, 2026 at 07:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Simen theme to the latest patched release, if available; if no update exists, consider replacing the theme with a maintained alternative.
  • Refactor the theme code to remove any dynamic include/require statements that use untrusted input; replace them with static includes or a whitelist of allowed files.
  • Validate or sanitize all parameters that influence file names in include/require calls, ensuring they can only reference allowed directories and file types.

Generated by OpenCVE AI on May 1, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18516 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen allows PHP Local File Inclusion. This issue affects Simen: from n/a through 4.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen allows PHP Local File Inclusion. This issue affects Simen: from n/a through 4.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen snssimen allows PHP Local File Inclusion.This issue affects Simen: from n/a through <= 4.6.
Title WordPress Simen <= 4.6 - Local File Inclusion Vulnerability WordPress Simen theme <= 4.6 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Simen allows PHP Local File Inclusion. This issue affects Simen: from n/a through 4.6.
Title WordPress Simen <= 4.6 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:52.572Z

Reserved: 2025-03-11T08:10:52.910Z

Link: CVE-2025-29002

cve-icon Vulnrichment

Updated: 2025-06-17T17:42:52.591Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:41.360

Modified: 2026-06-17T09:05:01.683

Link: CVE-2025-29002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:30:11Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')