Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Krowd krowd allows PHP Local File Inclusion.This issue affects Krowd: from n/a through < 1.5.0.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Gavias Krowd theme stems from improper control of filenames used in PHP include/require statements. An attacker can manipulate the input to this inclusion mechanism and cause the server to read arbitrary files stored locally. The data exposed could include configuration files, credentials, or other sensitive content, and if an attacker can place malicious PHP code on the file system, execution of that code is possible, compromising the integrity and availability of the site.

Affected Systems

This issue affects all installations of the Gavias Krowd WordPress theme with a version number lower than 1.5.0. The vulnerability is present in every release from the initial 1.0 version up to, but not including, 1.5.0. All WordPress sites that have this theme installed within that version range are potentially impacted.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, and the EPSS score of less than 1% suggests that while exploitation is uncommon, it remains a realistic threat. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an unauthenticated HTTP request to a vulnerable URL that triggers the inclusion logic, meaning anyone on the internet could potentially exploit the flaw without prior access.

Generated by OpenCVE AI on May 1, 2026 at 07:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Gavias Krowd theme to version 1.5.0 or later, where the file inclusion control is fixed.
  • If an upgrade is not possible immediately, restrict access to the directories that can be included by modifying the web‑server configuration to deny direct requests to those paths and set the PHP include_path to a non‑user‑writable location.
  • Implement input validation in the theme: sanitize and whitelist allowed file names before passing them to include/require, ensuring that only files within a designated safe directory are included.

Generated by OpenCVE AI on May 1, 2026 at 07:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17510 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Krowd allows PHP Local File Inclusion. This issue affects Krowd: from n/a through 1.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Krowd allows PHP Local File Inclusion. This issue affects Krowd: from n/a through 1.4.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Krowd krowd allows PHP Local File Inclusion.This issue affects Krowd: from n/a through < 1.5.0.
Title WordPress Krowd <= 1.4.1 - Local File Inclusion Vulnerability WordPress Krowd theme < 1.5.0 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Tue, 10 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Krowd allows PHP Local File Inclusion. This issue affects Krowd: from n/a through 1.4.1.
Title WordPress Krowd <= 1.4.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.088Z

Reserved: 2025-04-09T11:20:21.867Z

Link: CVE-2025-32595

cve-icon Vulnrichment

Updated: 2025-06-10T13:36:45.642Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:39.937

Modified: 2026-04-23T15:29:10.650

Link: CVE-2025-32595

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T07:45:06Z

Weaknesses