Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting vizeon allows PHP Local File Inclusion.This issue affects Vizeon - Business Consulting: from n/a through < 1.2.1.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper control of a filename used in a PHP include/require statement within the WordPress Vizeon theme. An attacker can manipulate input that determines the file path, allowing inclusion of arbitrary local files. If an attacker can force the inclusion of PHP code or a web shell residing on the server, the exploit can result in remote code execution, data exfiltration, or privilege escalation. The weakness is classified as CWE‑98, indicating insecure file inclusion handling.

Affected Systems

The Vizeon – Business Consulting WordPress theme supplied by gavias is affected. All versions prior to 1.2.1, from the earliest available version through the 1.1.1 release, are vulnerable. The vulnerability is present in the theme's legacy code that handles file inclusion logic.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, indicating high severity. The EPSS score of <1% indicates a very low likelihood of exploitation at this time. It is not listed in CISA's KEV catalog, meaning no confirmed public exploits have been reported. The exploit requires an attacker to leverage local file inclusion by influencing the filename passed to PHP include/require statements. Successful exploitation could allow arbitrary code execution, data exfiltration, or privilege escalation on the affected WordPress site.

Generated by OpenCVE AI on May 2, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vizeon theme to version 1.2.1 or later, which removes the vulnerable file inclusion logic.
  • If an immediate upgrade is not possible, locate the code responsible for the include/require statements and comment it out or replace it with a safe alternative that does not accept user input in the file path.
  • Configure the web server or .htaccess to deny direct access to PHP files that may reside in the theme directory, preventing the execution of unintended files.
  • Enable logging of file inclusion attempts and monitor the logs for suspicious activity, alerting administrators to possible exploitation attempts.

Generated by OpenCVE AI on May 2, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27800 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion. This issue affects Vizeon - Business Consulting: from n/a through 1.1.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion. This issue affects Vizeon - Business Consulting: from n/a through 1.1.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting vizeon allows PHP Local File Inclusion.This issue affects Vizeon - Business Consulting: from n/a through < 1.2.1.
Title WordPress Vizeon - Business Consulting <= 1.1.7 - Local File Inclusion Vulnerability WordPress Vizeon theme < 1.2.1 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Vizeon - Business Consulting allows PHP Local File Inclusion. This issue affects Vizeon - Business Consulting: from n/a through 1.1.7.
Title WordPress Vizeon - Business Consulting <= 1.1.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:04.568Z

Reserved: 2025-03-26T09:25:47.352Z

Link: CVE-2025-31064

cve-icon Vulnrichment

Updated: 2025-05-23T13:21:30.508Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:26.590

Modified: 2026-04-23T15:27:38.390

Link: CVE-2025-31064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')