Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami ogami allows PHP Local File Inclusion.This issue affects Ogami: from n/a through <= 1.53.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames in the include/require statements of the Ogami theme allows an attacker to perform PHP local file inclusion, enabling read of arbitrary files on the webserver and possibly execution of malicious code depending on the included content. The weakness is classified as CWE‑98 and carries a CVSS score of 8.1, indicating a high‑severity vulnerability.

Affected Systems

All installations of the ApusTheme Ogami WordPress theme with a version number of 1.53 or earlier are impacted. The vulnerability applies from the earliest released version (n/a) through version 1.53 inclusive.

Risk and Exploitability

The exploit can be performed from the public web interface, assuming the theme’s vulnerable include routine accepts user‑controlled input. The attack vector is likely through crafted URLs or form inputs that manipulate the path sent to the include/require function. Although the EPSS score is below 1%, indicating a low probability of exploitation in the wild thus far, the high CVSS score and the lack of a KEV listing mean that careful monitoring and rapid mitigation are advised. No additional prerequisites are publicly documented, but successful exploitation requires that the attacker can send a request to the vulnerable script.

Generated by OpenCVE AI on April 30, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ogami theme to version 1.54 or later, which removes the vulnerable include logic.
  • If an immediate upgrade is not possible, limit PHP path traversal by sanitizing all user‐supplied file names before any include/require operation to ensure only approved, whitelisted paths are used.
  • Deploy a web application firewall or host‑based rule to block requests containing patterns such as "../" or attempts to include system files like /etc/passwd.
  • Reroute or disable any custom theme functionality that dynamically includes files based on external input.

Generated by OpenCVE AI on April 30, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27811 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami allows PHP Local File Inclusion. This issue affects Ogami: from n/a through 1.53.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami allows PHP Local File Inclusion. This issue affects Ogami: from n/a through 1.53. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami ogami allows PHP Local File Inclusion.This issue affects Ogami: from n/a through <= 1.53.
Title WordPress Ogami <= 1.53 - Local File Inclusion Vulnerability WordPress Ogami theme <= 1.53 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami allows PHP Local File Inclusion. This issue affects Ogami: from n/a through 1.53.
Title WordPress Ogami <= 1.53 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:16.247Z

Reserved: 2025-04-01T13:21:47.737Z

Link: CVE-2025-31913

cve-icon Vulnrichment

Updated: 2025-05-23T13:24:37.437Z

cve-icon NVD

Status : Deferred

Published: 2025-05-23T13:15:28.140

Modified: 2026-04-23T15:28:32.357

Link: CVE-2025-31913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')