Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite.This issue affects aThemes Addons for Elementor: from n/a through <= 1.1.3.
Published: 2025-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The aThemes Addons for Elementor plugin contains a Local File Inclusion flaw caused by improper control of filenames used in PHP include/require statements. Exploitation could allow an attacker to read sensitive files on the server and, under the right conditions, execute arbitrary code. The vulnerability is tied to CWE-98 and is present in all releases from the initial version up to and including 1.1.3, with no indication that it has been addressed in older releases.

Affected Systems

This weakness affects WordPress sites that use the free aThemes Addons for Elementor plugin, published by Syed Balkhi, in any version numbered 1.1.3 or older.

Risk and Exploitability

The CVSS score of 7.5 classifies the issue as high severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation has been documented yet. Potential attackers could trigger the flaw by manipulating query parameters or other input fields that influence the filename passed to include or require, thereby enabling local file inclusion and possibly remote code execution. The attack is likely limited to local files on the server and requires the plugin to be active on the target WordPress installation.

Generated by OpenCVE AI on April 30, 2026 at 23:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade aThemes Addons for Elementor to a version newer than 1.1.3, which removes the filename validation flaw.
  • If an immediate upgrade is not feasible, disable or uninstall the plugin until a patched version is available to eliminate the inclusion point.
  • Verify that file permissions on the WordPress installation are restrictive and that no sensitive files are readable by the web server user, reducing the impact if inclusion is attempted.

Generated by OpenCVE AI on April 30, 2026 at 23:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-10475 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor. This issue affects aThemes Addons for Elementor: from n/a through 1.0.15.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor. This issue affects aThemes Addons for Elementor: from n/a through 1.0.15. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Syed Balkhi aThemes Addons for Elementor athemes-addons-for-elementor-lite.This issue affects aThemes Addons for Elementor: from n/a through <= 1.1.3.
Title WordPress aThemes Addons for Elementor plugin <= 1.0.15 - Local File Inclusion vulnerability WordPress aThemes Addons for Elementor plugin <= 1.1.3 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 May 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Athemes
Athemes athemes Addons For Elementor
Weaknesses NVD-CWE-Other
CPEs cpe:2.3:a:athemes:athemes_addons_for_elementor:*:*:*:*:free:wordpress:*:*
Vendors & Products Athemes
Athemes athemes Addons For Elementor

Thu, 10 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 10 Apr 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in aThemes aThemes Addons for Elementor. This issue affects aThemes Addons for Elementor: from n/a through 1.0.15.
Title WordPress aThemes Addons for Elementor plugin <= 1.0.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Athemes Athemes Addons For Elementor
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:17.800Z

Reserved: 2025-04-04T10:00:58.028Z

Link: CVE-2025-32158

cve-icon Vulnrichment

Updated: 2025-04-10T14:07:16.472Z

cve-icon NVD

Status : Modified

Published: 2025-04-10T08:15:16.687

Modified: 2026-04-23T15:28:40.020

Link: CVE-2025-32158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T23:30:03Z

Weaknesses