CVE-2025-47576 - Vulnerability Details

- WordPress Bimber - Viral Magazine WordPress Theme theme <= 9.2.5 - Local File Inclusion vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.

Published: 2025-05-19

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from the theme's PHP code failing to properly validate filenames used in include/require statements. The result is that an attacker can influence which local files are loaded, potentially leaking secrets or executing malicious code. The impact range is from information disclosure to full compromise if an attacker can control the file path.

Affected Systems

WordPress sites using the Bringthepixel Bimber – Viral Magazine WordPress Theme version 9.2.5 or earlier are affected.

Risk and Exploitability

With a CVSS score of 8.8, the issue is considered high severity. The EPSS score is less than 1%, suggesting a low but nonzero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be remote, via crafted URLs that trigger the vulnerable include mechanism, but requires the affected theme to be active.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Bringthepixel

Bimber - Viral Magazine WordPress Theme

unaffected

Version	Status	Constraints
`n/a`	affected	≤ 9.2.5

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Bimber theme to version 9.2.6 or later, which removes the unsafe include logic
If an upgrade is not immediately possible, switch the site to an alternative theme or disable the Bimber theme temporarily to eliminate the attack surface
Limit the theme’s file permissions and enforce strict include path checks to prevent any future inclusion of unintended files

Generated by OpenCVE AI on April 30, 2026 at 12:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-15718	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00631.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/wordpress/theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve

History

Tue, 28 Apr 2026 19:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/Wordpress/Theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve

Tue, 28 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Description	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme bimber.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through <= 9.2.5.	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.
References		https://patchstack.com/database/wordpress/theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:45:00 +0000

Type	Values Removed	Values Added
References	https://patchstack.com/database/wordpress/theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme bimber.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through <= 9.2.5.
References		https://patchstack.com/database/Wordpress/Theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve

Mon, 19 May 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 19 May 2025 16:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.
Title		WordPress Bimber - Viral Magazine WordPress Theme theme <= 9.2.5 - Local File Inclusion vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/wordpress/theme/bimber/vulnerability/wordpress-bimber-viral-magazine-wordpress-theme-theme-9-2-5-local-file-inclusion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-05-19T16:23:38.587Z

Updated: 2026-04-28T16:12:46.003Z

Reserved: 2025-05-07T09:55:20.908Z

Link: CVE-2025-47576

Vulnrichment

Updated: 2025-05-19T16:51:21.208Z

NVD

Status : Deferred

Published: 2025-05-19T17:15:27.930

Modified: 2026-04-28T19:32:26.407

Link: CVE-2025-47576

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T12:45:22Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object