Description
The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Published: 2025-06-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary code execution via local file inclusion
Action: Immediate Patch
AI Analysis

Impact

The Zagg theme contains a local file inclusion flaw in the load_view function, which is invoked by several AJAX actions. This flaw allows unauthenticated users to supply a path and load arbitrary PHP files on the server, enabling code execution on the site. Such exploitation can lead to full compromise, data exfiltration, or bypassing security controls.

Affected Systems

All instances of the BZOTheme Zagg – Electronics & Accessories WooCommerce WordPress Theme with version 1.4.1 or earlier are affected.

Risk and Exploitability

The vulnerability scores a CVSS of 8.1, indicating high severity, yet its EPSS score of less than 1 % reflects a low probability of exploitation. No authentication is required; attackers would need to send crafted AJAX requests to the vulnerable endpoints. The flaw is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 22, 2026 at 01:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Zagg theme to the latest version where the load_view function is fixed.
  • If an upgrade cannot be performed immediately, remove or disable the AJAX actions ‘load_more_post’, ‘load_shop’, and ‘load_more_product’ from the theme’s source or via a plugin that blocks them.
  • Deploy a web‑application firewall or security plugin that blocks attempts to include arbitrary file paths in AJAX requests or that restricts PHP execution to trusted directories.

Generated by OpenCVE AI on April 22, 2026 at 01:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18333 The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
History

Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00227}

 epss

{'score': 0.00328}

Tue, 17 Jun 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 14 Jun 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Title Zagg - Electronics & Accessories WooCommerce WordPress Theme <= 1.4.1 - Unauthenticated Local File Inclusion
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:19.375Z

Reserved: 2025-05-01T13:41:23.492Z

Link: CVE-2025-4200

cve-icon Vulnrichment

Updated: 2025-06-16T16:49:00.504Z

cve-icon NVD

Status : Deferred

Published: 2025-06-14T09:15:22.990

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:30:05Z

Weaknesses