Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gracioza WordPress theme contains an LFI vulnerability caused by improper validation of file names in include/require statements. An attacker can supply crafted input to the theme’s parameters, enabling the PHP interpreter to load arbitrary local files. If the attacker can trigger execution of PHP code through these files, it can result in privilege escalation, data exposure, or full site compromise. The weakness aligns with CWE‑98: Improper Control of Filename for Include/Require Statement.

Affected Systems

All installations of AncoraThemes Gracioza theme versions up to and including 1.0.15 are affected. Any WordPress site using a vulnerable version of this theme is at risk.

Risk and Exploitability

The credit assigned by the CVSS score of 8.1 indicates high severity. The EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, but it can be remotely exploited via an HTTP request that manipulates the theme’s input parameters. The overall risk is thus high severity with a currently low exploitation likelihood, making patching a priority.

Generated by OpenCVE AI on April 30, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Gracioza theme to the latest available version, where the LFI flaw has been addressed.
  • If an immediate update is not possible, temporarily disable the Gracioza theme or switch to a non‑vulnerable theme until a patch is applied.
  • Configure a web application firewall or modify filesystem permissions to restrict include paths to approved directories, preventing arbitrary file inclusion.

Generated by OpenCVE AI on April 30, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.
Title WordPress Gracioza theme <= 1.0.15 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.194Z

Reserved: 2025-06-04T09:42:41.320Z

Link: CVE-2025-49362

cve-icon Vulnrichment

Updated: 2025-12-18T18:53:02.673Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:50.380

Modified: 2026-04-27T20:16:12.000

Link: CVE-2025-49362

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses