Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom: from n/a through 2.7.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE describes an Improper Control of Filename for Include/Require Statement in PHP Program, formally known as a Local File Inclusion vulnerability. Exploitation allows an attacker to specify an arbitrary file path that is included by the La Boom theme, potentially exposing sensitive files or executing arbitrary code if a malicious PHP file is located on the system. This weakness is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high‑severity flaw that can impact confidentiality, integrity, and availability of the affected WordPress installation.

Affected Systems

The vulnerability affects the SpyroPress La Boom theme, specifically all versions through 2.7. Any WordPress site that has installed La Boom version 2.7 or earlier is vulnerable. No further version details are available, so all installations using these older versions should be considered at risk.

Risk and Exploitability

The CVSS score of 8.1 reflects a significant threat, but the EPSS score of less than 1% indicates that the likelihood of exploitation is low at this time, and the flaw is not listed in the CISA KEV catalog. While the vulnerability is classified as a Local File Inclusion, the lack of explicit details in the description suggests that exploitation would require the attacker to influence the include path, possibly through a crafted request or by placing a malicious file on the server. Thus, the attack vector is likely remote but depends on attacker control of file paths or prior access to the file system.

Generated by OpenCVE AI on May 1, 2026 at 08:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest La Boom theme release that is above version 2.7, which removes the vulnerable include logic.
  • If an upgrade is not immediately possible, constrain the file inclusion path to a known safe directory and filter the input to disallow directory traversal characters.
  • Configure file system permissions so that only trusted directories are readable by the web server and deny execute permissions on files that should not be executed as PHP code.

Generated by OpenCVE AI on May 1, 2026 at 08:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27807 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom: from n/a through 2.7.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom laboom allows PHP Local File Inclusion.This issue affects La Boom: from n/a through <= 2.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom: from n/a through 2.7.
Title WordPress La Boom theme <= 2.7 - Local File Inclusion Vulnerability WordPress La Boom <= 2.7 - Local File Inclusion Vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom: from n/a through 2.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom laboom allows PHP Local File Inclusion.This issue affects La Boom: from n/a through <= 2.7.
Title WordPress La Boom <= 2.7 - Local File Inclusion Vulnerability WordPress La Boom theme <= 2.7 - Local File Inclusion Vulnerability
References

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. This issue affects La Boom: from n/a through 2.7.
Title WordPress La Boom <= 2.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:10.743Z

Reserved: 2025-03-31T10:06:31.923Z

Link: CVE-2025-31632

cve-icon Vulnrichment

Updated: 2025-05-23T13:34:37.561Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:27.540

Modified: 2026-04-28T19:31:12.810

Link: CVE-2025-31632

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses