Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows PHP Local File Inclusion.This issue affects Backpack Traveler: from n/a through <= 2.10.2.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from uncontrolled handling of filenames used in PHP include/require statements within the Mikado‑Themes Backpack Traveler WordPress theme. An attacker can send specially crafted input that causes the theme to include arbitrary local files, which permits reading of internal configuration or log files. If the included file contains PHP code, the site could execute that code, but the CVE itself does not explicitly confirm arbitrary code execution.

Affected Systems

All releases of the Mikado‑Themes Backpack Traveler WordPress theme up to and including version 2.10.2 are affected. Any WordPress installation that has this theme activated and is running a vulnerable version is at risk.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is classified as high severity, yet the EPSS score of < 1 % indicates a very low current exploitation probability. The CVE is not listed in CISA’s KEV catalog. The likely attack vector is remote: an adversary can trigger the flaw by sending a crafted HTTP request to the affected WordPress site while the vulnerable theme is active.

Generated by OpenCVE AI on May 1, 2026 at 08:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available patch, upgrading the Backpack Traveler theme to version 2.10.3 or newer.
  • If a patch is not immediately available, consider deactivating or uninstalling the Backpack Traveler theme to remove the vulnerable code path.
  • Configure the web server to deny external access to sensitive system files and to restrict PHP processing to only whitelisted directories.
  • Implement input validation in custom code to ensure that any path used in include/require statements is limited to a secure, predefined set of directories.
  • Review the theme’s code to replace dynamic includes with hard‑coded paths or safe handling mechanisms where possible.

Generated by OpenCVE AI on May 1, 2026 at 08:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27960 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler allows PHP Local File Inclusion. This issue affects Backpack Traveler: from n/a through 2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler allows PHP Local File Inclusion. This issue affects Backpack Traveler: from n/a through 2.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows PHP Local File Inclusion.This issue affects Backpack Traveler: from n/a through <= 2.10.2.
Title WordPress Backpack Traveler <= 2.7 - Local File Inclusion Vulnerability WordPress Backpack Traveler theme <= 2.10.2 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive backpack Traveler
CPEs cpe:2.3:a:qodeinteractive:backpack_traveler:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive backpack Traveler

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Backpack Traveler allows PHP Local File Inclusion. This issue affects Backpack Traveler: from n/a through 2.7.
Title WordPress Backpack Traveler <= 2.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Qodeinteractive Backpack Traveler
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.701Z

Reserved: 2025-04-16T06:23:58.700Z

Link: CVE-2025-39490

cve-icon Vulnrichment

Updated: 2025-05-23T13:24:15.328Z

cve-icon NVD

Status : Modified

Published: 2025-05-23T13:15:30.903

Modified: 2026-04-23T15:29:39.733

Link: CVE-2025-39490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T08:15:12Z

Weaknesses