Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Blogprise blogprise allows PHP Local File Inclusion.This issue affects Blogprise: from n/a through <= 1.0.9.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Blogprise WordPress theme contains a flaw in which a filename supplied to a PHP include or require operation is not properly validated. This improper control of the filename allows an attacker to read or include local files, which can lead to arbitrary code execution when a path traversal chain reaches a PHP file or when an attacker gains control of the input path. The vulnerability maps to CWE‑98, Local File Inclusion.

Affected Systems

WordPress installations using the Blogprise theme version 1.0.9 or earlier are affected. The vulnerability was identified in all releases of Blogprise up to and including 1.0.9, regardless of other WordPress components.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. EPSS is listed as <1%, suggesting a low overall exploitation probability at the time of assessment. The issue is not currently featured in CISA KEV. Attackers would need to supply a crafted filename parameter via a publicly accessible URL or form, which indicates the likely attack vector is a web‑based local file inclusion attempt. Successful exploitation could compromise the entire site, leading to data disclosure, defacement, or full remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Blogprise theme to the latest available version (v1.1.0 or newer) where the filename validation issue has been fixed.
  • If an update is unavailable, modify the theme’s code to sanitize the include path by checking against a whitelist of allowed directories and stripping traversal characters before performing include or require.
  • Deploy a web application firewall or security plugin that blocks suspicious file‑include attempts, such as requests containing '..' or path traversal patterns, and monitor logs for such activity.

Generated by OpenCVE AI on April 30, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17543 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogprise allows PHP Local File Inclusion. This issue affects Blogprise: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogprise allows PHP Local File Inclusion. This issue affects Blogprise: from n/a through 1.0.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Blogprise blogprise allows PHP Local File Inclusion.This issue affects Blogprise: from n/a through <= 1.0.9.
Title WordPress Blogprise <= 1.0.9 - Local File Inclusion Vulnerability WordPress Blogprise theme <= 1.0.9 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Blogprise allows PHP Local File Inclusion. This issue affects Blogprise: from n/a through 1.0.9.
Title WordPress Blogprise <= 1.0.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.917Z

Reserved: 2025-06-04T09:41:31.235Z

Link: CVE-2025-49277

cve-icon Vulnrichment

Updated: 2025-06-09T19:23:05.934Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:45.500

Modified: 2026-04-23T15:31:22.647

Link: CVE-2025-49277

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses