Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme enzio allows PHP Local File Inclusion.This issue affects Enzio - Responsive Business WordPress Theme: from n/a through < 1.2.6.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is caused by improper control of the filename in a PHP include/require statement within the Enzio theme. The flaw allows an attacker to cause the theme to include arbitrary files from the server; if a PHP file can be forced into the include, the attacker may achieve code execution. The weakness is classified as a local file inclusion and is mapped to CWE-98.

Affected Systems

Gavias Enzio – Responsive Business WordPress Theme. All releases older than 1.2.6 are affected; any WordPress installation using the theme in a version below 1.2.6 is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is inferred from the description to be through the web interface, where an attacker crafts a request that manipulates the filename parameter to point at system files or other files containing PHP code. If the attacker can read sensitive files, confidentiality is compromised; if the attacker forces execution of PHP code, code execution is possible.

Generated by OpenCVE AI on May 1, 2026 at 08:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Enzio theme to version 1.2.6 or later to fix the local file inclusion flaw.
  • Implement strict input validation so that any filename used in an include or require statement is checked against a whitelist of permitted directories and file names, preventing arbitrary file access.
  • Deploy a web application firewall or similar controls to detect and block attempts to manipulate the filename parameter for file inclusion attacks.

Generated by OpenCVE AI on May 1, 2026 at 08:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27810 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. This issue affects Enzio - Responsive Business WordPress Theme: from n/a through 1.1.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. This issue affects Enzio - Responsive Business WordPress Theme: from n/a through 1.1.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme enzio allows PHP Local File Inclusion.This issue affects Enzio - Responsive Business WordPress Theme: from n/a through < 1.2.6.
Title WordPress Enzio - Responsive Business WordPress Theme <= 1.1.8 - Local File Inclusion Vulnerability WordPress Enzio - Responsive Business WordPress Theme theme < 1.2.6 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. This issue affects Enzio - Responsive Business WordPress Theme: from n/a through 1.1.8.
Title WordPress Enzio - Responsive Business WordPress Theme <= 1.1.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.075Z

Reserved: 2025-04-01T13:21:47.736Z

Link: CVE-2025-31912

cve-icon Vulnrichment

Updated: 2025-05-23T13:35:32.629Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:27.990

Modified: 2026-04-23T15:28:32.247

Link: CVE-2025-31912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')