Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magways magways allows PHP Local File Inclusion.This issue affects Magways: from n/a through <= 1.2.1.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE exposes a flaw in the Magways WordPress theme’s handling of PHP include/require statements, allowing an attacker to supply arbitrary file names. Based on the description, it is inferred that if the attacker can supply a path to a local file or a file with executable PHP code, the theme will include the file. This may result in disclosure of sensitive server files and, if an attacker can place code in a local file, may lead to remote code execution. The weakness is identified as a CWE‑98 scenario where filename control is insufficiently validated.

Affected Systems

Any installation of the Magways theme version 1.2.1 or earlier is vulnerable. The issue affects the unpacked theme code shipped under the vendor unfoldwp for use within WordPress sites.

Risk and Exploitability

The CVSS score of 8.1 reflects a high‑severity risk, while the EPSS score of less than 1 percent indicates that exploit activity is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves manipulating the theme’s file path selection via a crafted URL parameter or other user‑supplied input within the WordPress front‑end or admin interface. Once an attacker can control the path, the theme will include the specified file without proper validation, enabling the potential for local file disclosure or code execution.

Generated by OpenCVE AI on April 30, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magways theme to version 1.2.2 or newer if available
  • Replace the vulnerable include/require usage with safe path handling or a whitelist of allowed files
  • Verify that the theme’s configuration files do not expose sensitive paths; apply input sanitization on any user‑supplied parameters that influence file inclusion

Generated by OpenCVE AI on April 30, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17547 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magways allows PHP Local File Inclusion. This issue affects Magways: from n/a through 1.2.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magways allows PHP Local File Inclusion. This issue affects Magways: from n/a through 1.2.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magways magways allows PHP Local File Inclusion.This issue affects Magways: from n/a through <= 1.2.1.
Title WordPress Magways <= 1.2.1 - Local File Inclusion Vulnerability WordPress Magways theme <= 1.2.1 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magways allows PHP Local File Inclusion. This issue affects Magways: from n/a through 1.2.1.
Title WordPress Magways <= 1.2.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:00.255Z

Reserved: 2025-06-04T09:41:31.235Z

Link: CVE-2025-49281

cve-icon Vulnrichment

Updated: 2025-06-09T19:38:34.322Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:46.103

Modified: 2026-04-23T15:31:23.100

Link: CVE-2025-49281

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T18:15:06Z

Weaknesses