Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion.This issue affects Palladio: from n/a through <= 1.1.10.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames in PHP include statements allows a local file inclusion (LFI) flaw. This can let an attacker read configuration files, view source code, or execute code if the attacker can supply a path to a writable file. The issue is a classic CWE‑98 weakness and can compromise the confidentiality and integrity of a site.

Affected Systems

WordPress installations that use the AncoraThemes Palladio theme version 1.1.10 or earlier are affected by the vulnerability. No other products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. The EPSS score of less than 1% suggests a low likelihood of exploitation at present, and the vulnerability has not been listed in the CISA KEV catalog. The likely attack vector is an attacker who can influence the path passed to the include routine, such as by uploading a malicious script, form input, or crafted URL. If successfully exploited, the attacker could read or execute files on the local filesystem.

Generated by OpenCVE AI on April 29, 2026 at 15:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Palladio theme to a version newer than 1.1.10 or apply the vendor’s patch
  • If an upgrade is not immediately possible, disable the vulnerable include mechanism in the theme code or remove the file that performs the include
  • Implement file‑path validation to ensure only legitimate, whitelisted files are included
  • Monitor access logs for unusual include requests or attempts to read sensitive files

Generated by OpenCVE AI on April 29, 2026 at 15:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion.This issue affects Palladio: from n/a through <= 1.1.10.
Title WordPress Palladio theme <= 1.1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:22:19.925Z

Reserved: 2025-06-04T09:42:48.971Z

Link: CVE-2025-49368

cve-icon Vulnrichment

Updated: 2025-12-18T19:14:28.703Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:51.170

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49368

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')