Description
Path Traversal: '.../...//' vulnerability in CocoBasic Blanka - One Page WordPress Theme blanka-wp allows PHP Local File Inclusion.This issue affects Blanka - One Page WordPress Theme: from n/a through < 1.5.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a path traversal flaw that enables PHP Local File Inclusion in the Blanka theme. When an attacker supplies crafted input, the theme can include arbitrary files from the server, which may let the attacker read sensitive files or execute arbitrary PHP code. This results in a loss of confidentiality, integrity, and availability for sites using the affected theme.

Affected Systems

The Blanka – One Page WordPress Theme from CocoBasic. Versions from the earliest available release through any version less than 1.5 are affected. The vulnerability exists in the theme files that handle path traversal.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation attempts currently rare. The issue is not yet listed in CISA KEV, implying no known widespread exploitation. Attackers need only access the website's exposed interfaces that allow the theme to receive user‑supplied path parameters; thus, the attack vector is likely web based and requires only remote user interaction. The presence of a typical PHP include function combined with unsanitized input creates a straightforward exploit path for decoding malicious code.

Generated by OpenCVE AI on April 30, 2026 at 05:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blanka theme to version 1.5 or later, which removes the vulnerable path traversal handling.
  • If an immediate update is not possible, deactivate the Blanka theme and switch to another theme until a secure patch is applied.
  • Validate and sanitize all file path inputs in the theme by employing canonicalization functions or rejecting any relative path components, addressing the underlying CWE‑35 flaw.

Generated by OpenCVE AI on April 30, 2026 at 05:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Cocobasic
Cocobasic blanka
Wordpress
Wordpress wordpress
Vendors & Products Cocobasic
Cocobasic blanka
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Path Traversal: '.../...//' vulnerability in CocoBasic Blanka - One Page WordPress Theme blanka-wp allows PHP Local File Inclusion.This issue affects Blanka - One Page WordPress Theme: from n/a through < 1.5.
Title WordPress Blanka - One Page WordPress Theme Theme < 1.5 - Local File Inclusion Vulnerability
Weaknesses CWE-35
References

Subscriptions

Cocobasic Blanka
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:50.352Z

Reserved: 2025-05-15T17:54:23.204Z

Link: CVE-2025-48090

cve-icon Vulnrichment

Updated: 2025-11-06T16:05:31.694Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:15:52.423

Modified: 2026-04-27T20:16:07.070

Link: CVE-2025-48090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:30:06Z

Weaknesses