Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4.
Published: 2025-05-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The NasaCore plugin for WordPress contains an improper control over the filename used in PHP include/require statements. The flaw allows an attacker to manipulate the path of an included file and include arbitrary files from the server. Successful exploitation could enable the attacker to read sensitive files, or if writable files are included, execute injected code, leading to full compromise of the site.

Affected Systems

This issue affects all releases of NasaCore from the first public version up to and including 6.4.4. The plugin is a WordPress component maintained by NasaTheme and is identified in the CVE as NasaTheme:Nasa Core. Systems running the plugin on any WordPress installation with a version <= 6.4.4 are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS v3 score of 7.5, indicating high severity, but the EPSS score is below 1%, suggesting a low current likelihood of exploitation. It is not listed in CISA's KEV catalog. Potential attackers would likely use the web interface to supply a crafted query that influences the include path. While local file inclusion is the primary impact, an attacker could also achieve remote code execution if the included file is writable.

Generated by OpenCVE AI on April 30, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the NasaCore plugin to version 6.4.5 or later, which removes the LFI vulnerability.
  • If an upgrade is not immediately possible, disable the plugin or remove the capability for arbitrary file inclusion in the plugin settings to ensure the include paths are validated.
  • As a temporary workaround, set allow_url_include to Off and restrict the include path to the site's root to prevent arbitrary file inclusion.
  • After applying a fix, perform a site‑wide scan for any injected code or unauthorized modifications.

Generated by OpenCVE AI on April 30, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15495 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core allows PHP Local File Inclusion. This issue affects Nasa Core: from n/a through 6.3.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core allows PHP Local File Inclusion. This issue affects Nasa Core: from n/a through 6.3.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core nasa-core allows PHP Local File Inclusion.This issue affects Nasa Core: from n/a through < 6.4.4.
Title WordPress Nasa Core Plugin <= 6.3.2 - Local File Inclusion vulnerability WordPress Nasa Core Plugin <= 6.4.4 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 06 Jun 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Nasatheme
Nasatheme nasa Core
Weaknesses CWE-829
CPEs cpe:2.3:a:nasatheme:nasa_core:*:*:*:*:*:wordpress:*:*
Vendors & Products Nasatheme
Nasatheme nasa Core

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Nasa Core allows PHP Local File Inclusion. This issue affects Nasa Core: from n/a through 6.3.2.
Title WordPress Nasa Core Plugin <= 6.3.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Nasatheme Nasa Core
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:33.227Z

Reserved: 2025-04-16T06:24:15.129Z

Link: CVE-2025-39507

cve-icon Vulnrichment

Updated: 2025-05-16T16:20:57.899Z

cve-icon NVD

Status : Modified

Published: 2025-05-16T16:15:40.930

Modified: 2026-04-23T15:29:41.640

Link: CVE-2025-39507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses