Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi elessi-theme allows PHP Local File Inclusion.This issue affects Elessi: from n/a through < 6.4.1.
Published: 2025-07-04
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability results from improper control of the filename in an include/require statement in the Elessi theme’s PHP code, allowing a local file inclusion attack. An attacker can read arbitrary local files and can potentially execute code if they can supply a malicious file, thereby compromising data confidentiality and possibly escalating privileges.

Affected Systems

WordPress sites running the NasaTheme Elessi theme on any version prior to 6.4.1 are affected. The flaw exists from the initial release through any revision below 6.4.1, with no lower bound specified. Site administrators should verify the theme version they deploy.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, but the EPSS score is under 1%, signifying a low expected exploitation probability at present. The vulnerability is not listed in CISA KEV. Exploitation typically requires an attacker to supply a crafted path to a locally stored file that can be included, which usually needs either local filesystem access or a preceding vulnerability that affords file uploads. Accordingly, the risk is moderate but warrants immediate attention to prevent potential data breaches or code execution.

Generated by OpenCVE AI on April 30, 2026 at 09:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Elessi theme to version 6.4.1 or later, which removes the vulnerable include logic.
  • If an immediate upgrade is not feasible, restrict direct web access to the theme’s PHP files and employ a web application firewall to block suspicious include parameters.
  • Audit the theme code for any remaining include/require statements that accept user‑supplied values and ensure proper validation or eliminate such paths.

Generated by OpenCVE AI on April 30, 2026 at 09:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-20007 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi allows PHP Local File Inclusion. This issue affects Elessi: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi allows PHP Local File Inclusion. This issue affects Elessi: from n/a through n/a. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi elessi-theme allows PHP Local File Inclusion.This issue affects Elessi: from n/a through < 6.4.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 07 Jul 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 11:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi allows PHP Local File Inclusion. This issue affects Elessi: from n/a through n/a.
Title WordPress Elessi < 6.4.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:58.656Z

Reserved: 2025-05-30T14:04:49.666Z

Link: CVE-2025-49070

cve-icon Vulnrichment

Updated: 2025-07-07T16:27:45.633Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T12:15:29.460

Modified: 2026-04-23T15:31:16.630

Link: CVE-2025-49070

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:00:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')