Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Blogbyte blogbyte allows PHP Local File Inclusion.This issue affects Blogbyte: from n/a through <= 1.1.1.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the Blogbyte theme does not properly validate the filename supplied to PHP's include/require statements, allowing an attacker to influence which file is loaded. This flaw permits an attacker to read or execute arbitrary files on the server, potentially exposing confidential data or running malicious code.

Affected Systems

The issue affects the unfoldwp Blogbyte WordPress theme versions through 1.1.1. Users running any iteration of the theme within this range are susceptible.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while an EPSS score of less than 1% indicates a low probability of widespread exploitation at the present moment. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require an attacker to supply a crafted input that resolves to a path on the server, such as via a URL parameter. If successful, the attacker could read local files or, in some configurations, execute code, leading to a full compromise of the application.

Generated by OpenCVE AI on April 30, 2026 at 11:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blogbyte theme to a version newer than 1.1.1 to remove the LFI flaw.
  • Refuse user‑supplied input in include/require calls by sanitizing file paths or using whitelists; if feasible, modify the theme to avoid dynamic includes.
  • Restrict file system permissions so that the web server user cannot read sensitive system files, and enable file‑access auditing to detect abnormal include attempts.

Generated by OpenCVE AI on April 30, 2026 at 11:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17541 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogbyte allows PHP Local File Inclusion. This issue affects Blogbyte: from n/a through 1.1.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogbyte allows PHP Local File Inclusion. This issue affects Blogbyte: from n/a through 1.1.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Blogbyte blogbyte allows PHP Local File Inclusion.This issue affects Blogbyte: from n/a through <= 1.1.1.
Title WordPress Blogbyte <= 1.1.1 - Local File Inclusion Vulnerability WordPress Blogbyte theme <= 1.1.1 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogbyte allows PHP Local File Inclusion. This issue affects Blogbyte: from n/a through 1.1.1.
Title WordPress Blogbyte <= 1.1.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.914Z

Reserved: 2025-06-04T09:41:31.235Z

Link: CVE-2025-49275

cve-icon Vulnrichment

Updated: 2025-06-09T19:22:51.698Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:45.207

Modified: 2026-04-23T15:31:22.403

Link: CVE-2025-49275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')