Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magty magty allows PHP Local File Inclusion.This issue affects Magty: from n/a through <= 1.0.6.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, allowing local file inclusion in the Magty theme. An attacker can supply arbitrary file paths to the PHP include mechanism, potentially reading sensitive files or, if the file is PHP executable, executing arbitrary code. The flaw carries a CVSS score of 8.1, indicating medium to high severity with significant impact on confidentiality and integrity.

Affected Systems

All installations of the Magty theme on the WordPress platform up to and including version 1.0.6 are affected. The theme is maintained by unfoldwp under the product name Magty.

Risk and Exploitability

The EPSS score of less than 1% suggests that exploitation attempts are uncommon, and the vulnerability is not listed in the CISA KEV catalog. However, the CVSS score indicates a high potential for damage if exploited. The likely attack vector involves an attacker manipulating input that is passed directly to an include or require statement, such as a URL parameter or form field. Successful exploitation can expose sensitive files, log data, or allow arbitrarily code execution within the WordPress environment.

Generated by OpenCVE AI on April 30, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magty theme to version 1.0.7 or later if available
  • Disable or uninstall the theme if not actively used
  • Restrict file system permissions to prevent read access to sensitive files
  • Configure the web server to block direct web access to PHP files in theme directories

Generated by OpenCVE AI on April 30, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17546 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magty allows PHP Local File Inclusion. This issue affects Magty: from n/a through 1.0.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magty allows PHP Local File Inclusion. This issue affects Magty: from n/a through 1.0.6. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magty magty allows PHP Local File Inclusion.This issue affects Magty: from n/a through <= 1.0.6.
Title WordPress Magty <= 1.0.6 - Local File Inclusion Vulnerability WordPress Magty theme <= 1.0.6 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magty allows PHP Local File Inclusion. This issue affects Magty: from n/a through 1.0.6.
Title WordPress Magty <= 1.0.6 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.921Z

Reserved: 2025-06-04T09:41:31.235Z

Link: CVE-2025-49280

cve-icon Vulnrichment

Updated: 2025-06-09T19:23:25.489Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:45.957

Modified: 2026-04-23T15:31:22.987

Link: CVE-2025-49280

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses