Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul healsoul allows PHP Local File Inclusion.This issue affects Healsoul: from n/a through <= 2.2.3.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Healsoul WordPress theme contains an improperly controlled filename for an include/require statement in PHP. This flaw allows a local file inclusion (LFI) vector to be exploited, potentially exposing sensitive files or executing arbitrary code on the affected server. The reported weakness is classified as CWE-98. The impact is that an attacker who can influence the include path may read local files or gain further compromise of the web application.

Affected Systems

The vulnerability affects the ThemeMove Healsoul WordPress theme, versions up to and including 2.2.3. Any WordPress site that has this theme installed and has not updated beyond v2.2.3 is at risk. Owners of older WordPress installations that rely on this theme should verify their version and apply vendor updates accordingly.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score of less than 1 % suggests that, as of the latest data, exploitation is considered unlikely. The vulnerability appears to be exploitable via a local file inclusion path, typically triggered by user input that feeds the include filename. Inferred attack vectors include unauthenticated or low‑privilege users capable of sending crafted requests that result in local file inclusion. The vulnerability is not listed in CISA’s KEV catalog, so there are no known widespread public exploitation cases at this time.

Generated by OpenCVE AI on May 1, 2026 at 08:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Healsoul theme to any newer available version than 2.2.3 if possible.
  • If an upgrade is not possible, replace or remove the Healsoul theme entirely to eliminate the vulnerable code.
  • Validate and sanitize the include path, restricting file names to a whitelist and preventing directory traversal to mitigate the LFI vulnerability.

Generated by OpenCVE AI on May 1, 2026 at 08:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27827 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul allows PHP Local File Inclusion. This issue affects Healsoul: from n/a through 2.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul allows PHP Local File Inclusion. This issue affects Healsoul: from n/a through 2.0.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul healsoul allows PHP Local File Inclusion.This issue affects Healsoul: from n/a through <= 2.2.3.
Title WordPress Healsoul <= 2.0.2 - Local File Inclusion Vulnerability WordPress Healsoul theme <= 2.2.3 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 28 Jan 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove healsoul
CPEs cpe:2.3:a:thememove:healsoul:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove healsoul

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Healsoul allows PHP Local File Inclusion. This issue affects Healsoul: from n/a through 2.0.2.
Title WordPress Healsoul <= 2.0.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Thememove Healsoul
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:21.815Z

Reserved: 2025-04-04T10:02:55.220Z

Link: CVE-2025-32309

cve-icon Vulnrichment

Updated: 2025-05-23T13:40:08.042Z

cve-icon NVD

Status : Modified

Published: 2025-05-23T13:15:30.263

Modified: 2026-04-23T15:28:56.730

Link: CVE-2025-32309

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses