Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.8.
Published: 2025-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper control of the filename used in PHP include/require statements, allowing attackers to perform a local file inclusion. The ability to include arbitrary files can expose sensitive configuration, credentials, or other confidential data, and in many cases can be abused to execute malicious PHP code on the server, compromising the integrity and availability of the site.

Affected Systems

The Besa WordPress theme, distributed by thembay, is affected for all releases up through and including version 2.3.8. Any WordPress installation using these versions of the theme is vulnerable; versions 2.3.9 and later are reported by the vendor as fixed.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity due to the potential for remote code execution and wide impact on all sites using the vulnerable theme. The EPSS score of less than 1% indicates that public exploitation is rare or has not been observed, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector would involve manipulating a request that triggers the insecure include/require logic, but the precise exploitation steps are not detailed in the advisory. Given the high potential impact and the low observed exploitation probability, the vulnerability poses a significant risk if left unpatched.

Generated by OpenCVE AI on April 30, 2026 at 11:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Besa theme to the latest version (2.3.9 or newer) as recommended by thembay, which removes the vulnerable include logic.
  • If an upgrade cannot be performed immediately, replace the file that performs the include/require with a custom patch that sanitizes the filepath—restrict inclusion to the theme’s designated include directory, disallow relative paths, and verify that the target file is readable by the web server before including it.
  • Disable exposure of the vulnerable functionality by ensuring that any file parameters passed to the include/require are either removed or set to a static, approved value, thereby preventing arbitrary file reads or execution.

Generated by OpenCVE AI on April 30, 2026 at 11:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18532 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through 2.3.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through 2.3.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.8.
Title WordPress Besa <= 2.3.8 - Local File Inclusion Vulnerability WordPress Besa theme <= 2.3.8 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa allows PHP Local File Inclusion. This issue affects Besa: from n/a through 2.3.8.
Title WordPress Besa <= 2.3.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.011Z

Reserved: 2025-06-04T09:41:05.254Z

Link: CVE-2025-49252

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:46.663

Modified: 2026-04-23T15:31:19.683

Link: CVE-2025-49252

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:30:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')