Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.4.2.
Published: 2025-05-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Local File Inclusion flaw that arises because the Wilmer theme does not properly validate file names used in PHP include/require statements. An attacker can supply a crafted file path, causing the server to read or execute files from the local file system. This defect can lead to disclosure of sensitive data, arbitrary PHP code execution, or compromise of the entire WordPress site. The weakness aligns with CWE‑98.

Affected Systems

WordPress sites that use the Mikado‑Themes Wilmer theme are affected. Any installation employing a version older than 3.4.2, from the initial release through 3.4.1, is vulnerable to this LFI flaw.

Risk and Exploitability

With a CVSS score of 8.1, the issue is high severity. The EPSS score is below 1 %, indicating a low likelihood of widespread exploitation today, and it is not listed in the CISA KEV catalog. Nonetheless, the potential for remote code execution makes it a priority. The likely attack vector is a request that injects an arbitrary file path into a theme parameter or URL, leveraging the LFI mechanism.

Generated by OpenCVE AI on April 30, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Wilmer theme to version 3.4.2 or later.
  • If an update cannot be applied immediately, restrict the include/require calls by sanitizing file path inputs or limiting them to a whitelist of allowed directories.
  • Implement a security plugin or firewall rule that blocks requests containing suspicious file patterns such as "../" or arbitrary "\.php" extensions.
  • Regularly scan the site for unauthorized file changes or the presence of new PHP files that could be executed.

Generated by OpenCVE AI on April 30, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-27961 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër allows PHP Local File Inclusion. This issue affects Wilmër: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër allows PHP Local File Inclusion. This issue affects Wilmër: from n/a through n/a. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.4.2.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive wilmer
CPEs cpe:2.3:a:qodeinteractive:wilmer:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive wilmer

Fri, 23 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 23 May 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër allows PHP Local File Inclusion. This issue affects Wilmër: from n/a through n/a.
Title WordPress Wilmër theme < 3.4.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Qodeinteractive Wilmer
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:32.827Z

Reserved: 2025-04-16T06:23:58.700Z

Link: CVE-2025-39494

cve-icon Vulnrichment

Updated: 2025-05-23T13:29:01.575Z

cve-icon NVD

Status : Modified

Published: 2025-05-23T13:15:31.050

Modified: 2026-04-23T15:29:40.160

Link: CVE-2025-39494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T19:00:14Z

Weaknesses