Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magze magze allows PHP Local File Inclusion.This issue affects Magze: from n/a through <= 1.0.9.
Published: 2025-06-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Control of Filename for Include/Require Statement in PHP, known as Local File Inclusion. An attacker can supply a file path to the theme and cause PHP to include arbitrary files on the server. This can expose sensitive files such as configuration documents, logs, or other data that should not be publicly accessible. While the description does not explicitly state that it can lead to code execution, the ability to read or potentially execute local files creates a serious confidentiality risk and may serve as a stepping‑stone for further exploitation.

Affected Systems

Magze, a WordPress theme provided by unfoldwp, is affected in all releases up through 1.0.9. Any WordPress site that has not upgraded beyond version 1.0.9 or that still hosts legacy installations remains at risk.

Risk and Exploitability

The CVSS score of 8.1 demonstrates high severity. The EPSS score being less than 1% indicates that exploitation is currently unlikely, but the small probability does not eliminate risk. The vulnerability has not been included in the CISA KEV catalog, so no known active exploits are recorded. The exploit path is local; an attacker would need a vector that allows supplying the malicious file path to the include operation, such as through user input parameters or plugin interactions. Applying an upgrade that removes the vulnerable code is the most effective defense.

Generated by OpenCVE AI on April 30, 2026 at 11:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magze theme to the most recent release that removes the LFI vulnerability.
  • If an upgrade cannot be applied immediately, deactivate or replace the theme to eliminate the vulnerable code path.
  • For deployments that must continue using Magze, harden file permissions on the site’s configuration and sensitive files so that they are not readable by the web server process.

Generated by OpenCVE AI on April 30, 2026 at 11:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-17548 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magze magze allows PHP Local File Inclusion.This issue affects Magze: from n/a through <= 1.0.9.
Title WordPress Magze <= 1.0.9 - Local File Inclusion Vulnerability WordPress Magze theme <= 1.0.9 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00151}

 epss

{'score': 0.00165}

Mon, 09 Jun 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Jun 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magze allows PHP Local File Inclusion. This issue affects Magze: from n/a through 1.0.9.
Title WordPress Magze <= 1.0.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:59.993Z

Reserved: 2025-06-04T09:41:31.235Z

Link: CVE-2025-49282

cve-icon Vulnrichment

Updated: 2025-06-09T19:25:09.705Z

cve-icon NVD

Status : Deferred

Published: 2025-06-09T16:15:46.250

Modified: 2026-04-23T15:31:23.213

Link: CVE-2025-49282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T11:45:21Z

Weaknesses