CVE-2025-49258 - Vulnerability Details

- WordPress Maia theme <= 1.1.15 - Local File Inclusion Vulnerability

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia maia allows PHP Local File Inclusion.This issue affects Maia: from n/a through <= 1.1.15.

Published: 2025-06-17

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw stems from an improper validation of filenames used in include/require statements in the Maia theme. Because the filename is not sanitized, an attacker can trigger the inclusion of arbitrary local files on the server. This may expose sensitive files or allow the execution of malicious code that the attacker can place on the filesystem.

Affected Systems

WordPress users running the Maia theme version 1.1.15 or earlier. The vulnerability is tied to the thembay Maia theme, which is installed on the site’s theme directory and active within the WordPress environment.

Risk and Exploitability

The vulnerability scores 8.1 on CVSS, indicating high impact and medium to high exploitation complexity. The EPSS score is less than 1 %, suggesting exploitation is unlikely to be widespread yet. It is not listed in CISA KEV. An attacker can exploit the flaw by sending crafted requests that include a filename parameter, leading to local file inclusion and potentially remote code execution if the attacker can create or control the target file.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

thembay

Maia

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.1.15

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Maia theme update (v1.1.16 or later) that eliminates the uncontrolled include statement.
If an update is not feasible, modify the theme’s core files to validate include filenames against a strict whitelist or remove the vulnerable include logic entirely.
Deploy a web application firewall or security plugin that blocks suspicious inclusion requests and monitors for attempts to include arbitrary local files.

Generated by OpenCVE AI on April 30, 2026 at 11:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-28290	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00547.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/maia/vulnerability/wordpress-maia-1-1-15-local-file-inclusion-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15.	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia maia allows PHP Local File Inclusion.This issue affects Maia: from n/a through <= 1.1.15.
Title	WordPress Maia <= 1.1.15 - Local File Inclusion Vulnerability	WordPress Maia theme <= 1.1.15 - Local File Inclusion Vulnerability
References	https://patchstack.com/database/wordpress/theme/maia/vulnerability/wordpress-maia-1-1-15-local-file-inclusion-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Theme/maia/vulnerability/wordpress-maia-1-1-15-local-file-inclusion-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Wed, 18 Jun 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
Description		Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Maia allows PHP Local File Inclusion. This issue affects Maia: from n/a through 1.1.15.
Title		WordPress Maia <= 1.1.15 - Local File Inclusion Vulnerability
Weaknesses		CWE-98
References		https://patchstack.com/database/wordpress/theme/maia/vulnerability/wordpress-maia-1-1-15-local-file-inclusion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-06-17T15:01:26.682Z

Updated: 2026-04-28T16:12:59.521Z

Reserved: 2025-06-04T09:41:14.294Z

Link: CVE-2025-49258

Vulnrichment

Updated: 2025-06-18T15:18:09.412Z

NVD

Status : Deferred

Published: 2025-06-17T15:15:47.587

Modified: 2026-04-23T15:31:20.363

Link: CVE-2025-49258

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T11:30:06Z

Weaknesses

CWE-98

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object