Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris caliris-wp allows PHP Local File Inclusion.This issue affects Caliris: from n/a through <= 1.5.
Published: 2025-08-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename used in PHP include/require statements in the Caliris Wordpress theme allows an attacker to supply arbitrary paths and load local files into the process. This flaw, classified as CWE‑98, can lead to disclosure of sensitive server files and, if a PHP file containing malicious code is accessed, remote code execution. The high CVSS score of 8.1 reflects the severe impact on confidentiality, integrity, and availability of WordPress sites that use the vulnerable theme.

Affected Systems

The issue is present in the CocoBasic Caliris caliris‑wp theme for all releases from the initial version through version 1.5, inclusive. Any WordPress installation that has this theme installed at a version of 1.5 or earlier is vulnerable regardless of other security settings.

Risk and Exploitability

The EPSS score of than 1 % suggests that exploitation attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is remote via the web interface, where an attacker can send crafted HTTP requests that manipulate the file path parameter used by the theme. Successful exploitation depends on the server’s file permission configuration and the presence of PHP code in the targeted local files.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Caliris theme to a version newer than 1.5 that removes the insecure file inclusion logic.
  • If an upgrade is not yet possible, sanitize request parameters used for file inclusion by validating filenames against an approved whitelist and removing directory traversal characters.
  • Restrict PHP’s include/require behavior by disabling allow_url_include, setting open_basedir restrictions, and ensuring that only trusted directories are permitted for file reads.

Generated by OpenCVE AI on April 30, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25281 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris allows PHP Local File Inclusion. This issue affects Caliris: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris allows PHP Local File Inclusion. This issue affects Caliris: from n/a through 1.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris caliris-wp allows PHP Local File Inclusion.This issue affects Caliris: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris allows PHP Local File Inclusion. This issue affects Caliris: from n/a through 1.5.
Title WordPress Caliris <= 1.5 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:52.878Z

Reserved: 2025-05-15T18:02:03.512Z

Link: CVE-2025-48160

cve-icon Vulnrichment

Updated: 2025-08-20T13:54:50.634Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:31.870

Modified: 2026-04-23T15:30:54.457

Link: CVE-2025-48160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T16:00:13Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')