Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa lasa allows PHP Local File Inclusion.This issue affects Lasa: from n/a through <= 1.1.
Published: 2025-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in the Lasa WordPress theme, allowing a local file inclusion flaw (CWE‑98). If an attacker can influence the filename parameter, they may read sensitive files such as configuration or database credentials, or execute arbitrary PHP code by including a crafted file. This can lead to full compromise of the site and potentially the underlying server. The CVSS score of 8.1 indicates a high severity impact.

Affected Systems

Affected is the Lasa theme from thembay, versions 1.1 and earlier. The theme is deployed on WordPress installations; any site running those versions is vulnerable.

Risk and Exploitability

The EPSS score of less than 1 % implies a very low current exploitation probability, perhaps because the flaw requires the attacker to supply an exploitable file path that the theme will include. It is not listed in the CISA KEV catalog. The likely attack vector is a web‑based request that passes a crafted file path to the theme, leading to local file inclusion. Exploitation requires that the site runs the vulnerable theme and that the include logic is reachable from the web.

Generated by OpenCVE AI on April 30, 2026 at 17:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Lasa theme to the latest version (1.2 or higher) where the local file inclusion issue is resolved.
  • If an update is not available, disable or remove the Lasa theme to eliminate the vulnerable code path.
  • As a temporary measure, modify the theme’s include logic to validate the filename against a whitelist of permitted directories or hard‑code the path instead of using user input.

Generated by OpenCVE AI on April 30, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18646 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa lasa allows PHP Local File Inclusion.This issue affects Lasa: from n/a through <= 1.1.
Title WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability WordPress Lasa theme <= 1.1 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Lasa allows PHP Local File Inclusion. This issue affects Lasa: from n/a through 1.1.
Title WordPress Lasa <= 1.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.028Z

Reserved: 2025-06-04T09:41:05.254Z

Link: CVE-2025-49253

cve-icon Vulnrichment

Updated: 2025-06-18T14:45:25.935Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:46.817

Modified: 2026-04-23T15:31:19.800

Link: CVE-2025-49253

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:00:13Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')