Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.4.
Published: 2025-08-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filenames in PHP include/require statements within the RT-Theme 18 | Extensions plugin. An attacker can craft a request that forces the plugin to include arbitrary local files, potentially exposing sensitive data or enabling execution of malicious code. This weakness falls under CWE-98 and fundamentally threatens confidentiality, integrity, and potentially availability of the affected WordPress site.

Affected Systems

RT-Theme 18 | Extensions, a WordPress plugin by stmcan, is affected in all releases from the initial release through version 2.4. The issue involves the built‑in file inclusion logic of the plugin and therefore impacts any WordPress installation deploying this plugin in those versions.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity potential for exploitation. The EPSS score of less than 1% suggests that, as of the latest data, the probability of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, reducing immediate threat awareness. Based on the description, the attack vector is likely an authenticated or arbitrary file path exploitation that could be triggered by a user with write access to the plugin’s configuration or via a crafted URL. Exact prerequisites are not detailed in the data, so a cautious stance is recommended.

Generated by OpenCVE AI on April 30, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the RT-Theme 18 | Extensions plugin to version 2.5 or later to apply the vendor‑provided fix.
  • Disable or remove the plugin from the WordPress installation until an updated version is available.
  • Implement server‑side path validation or a hardened include mechanism to prevent arbitrary file inclusion; consider using a whitelist of permissible files and sanitizing any user‑supplied file names.

Generated by OpenCVE AI on April 30, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24744 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions allows PHP Local File Inclusion. This issue affects RT-Theme 18 | Extensions: from n/a through 2.4.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions allows PHP Local File Inclusion. This issue affects RT-Theme 18 | Extensions: from n/a through 2.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through <= 2.4.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions allows PHP Local File Inclusion. This issue affects RT-Theme 18 | Extensions: from n/a through 2.4.
Title WordPress RT-Theme 18 | Extensions plugin <= 2.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:32:54.842Z

Reserved: 2025-04-04T10:02:38.419Z

Link: CVE-2025-32288

cve-icon Vulnrichment

Updated: 2025-08-14T19:39:39.195Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:33.750

Modified: 2026-04-23T15:28:54.367

Link: CVE-2025-32288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:30:16Z

Weaknesses