Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through <= 1.3.1.
Published: 2025-04-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper control of the filename used in PHP include/require statements within the CWW Portfolio theme. It allows an attacker who can influence the include path to load arbitrary files from the local filesystem, potentially executing malicious PHP code or retrieving sensitive data. The flaw is categorized as CWE‑98.

Affected Systems

The affected product is the WordPress theme CWW Portfolio owned by codeworkweb. Versions from the initial release up to and including 1.3.1 are susceptible; any release beyond 1.3.1 is not affected.

Risk and Exploitability

The CVSS base score of 7.5 indicates a high level of risk, while the EPSS score of less than 1% suggests a low probability of active exploitation at present. The vulnerability requires local access or the ability to craft a request that reaches the vulnerable include mechanism, so remote exploitation is not immediately evident. If an attacker can place a malicious file on the server or manipulate the request to point to a file containing PHP code, they could achieve arbitrary code execution or data disclosure.

Generated by OpenCVE AI on April 30, 2026 at 21:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CWW Portfolio theme to a version newer than 1.3.1.
  • If an upgrade is not possible, disable or remove the theme to prevent the vulnerable code from running.
  • Apply server‑side input validation to restrict the include path to a trusted directory and set PHP configuration directives such as `allow_url_include=Off`.
  • Implement web application firewall rules that block requests containing directory traversal sequences or suspicious file paths.

Generated by OpenCVE AI on April 30, 2026 at 21:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-12069 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Work Web CWW Portfolio allows PHP Local File Inclusion. This issue affects CWW Portfolio: from n/a through 1.3.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Work Web CWW Portfolio allows PHP Local File Inclusion. This issue affects CWW Portfolio: from n/a through 1.3.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through <= 1.3.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Fri, 25 Apr 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 24 Apr 2025 16:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Code Work Web CWW Portfolio allows PHP Local File Inclusion. This issue affects CWW Portfolio: from n/a through 1.3.1.
Title WordPress CWW Portfolio theme <= 1.3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:12:43.814Z

Reserved: 2025-04-16T06:22:20.495Z

Link: CVE-2025-39359

cve-icon Vulnrichment

Updated: 2025-04-24T19:52:57.696Z

cve-icon NVD

Status : Deferred

Published: 2025-04-24T16:15:30.737

Modified: 2026-06-17T09:17:49.507

Link: CVE-2025-39359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T21:30:36Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')