Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dahz Kitring kitring allows PHP Local File Inclusion.This issue affects Kitring: from n/a through <= 2.8.
Published: 2025-08-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Dahz Kitring theme versions 2.8 and lower originates from improper validation of file names used in PHP include/require statements. Attackers who can influence the path value can cause the application to include arbitrary files. This can lead to sensitive file disclosure and, if the included file contains executable code, to remote code execution on the web server. The flaw directly affects confidentiality, integrity, and availability of the WordPress site.

Affected Systems

Any WordPress installation that uses the Dahz Kitring theme version 2.8 or earlier is impacted. No finer granularity of affected sub‑versions is provided; any deployment of the theme in that range is at risk.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity. The EPSS value of less than 1 % indicates that, as of the analysis, exploitation activity is very low. The vulnerability is not listed in CISA’s KEV catalog, so there is no evidence of ongoing exploitation. The most likely attack vector is local file inclusion via manipulated parameters within the theme’s PHP code, requiring the attacker to have some influence over the included path, but not necessarily external access. The lack of a high EPSS score suggests the risk is presently moderate, but the high CVSS warrants prompt remediation.

Generated by OpenCVE AI on April 30, 2026 at 08:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kitring theme to the latest released version (or any version newer than 2.8).
  • If an upgrade is not immediately possible, disable or remove the Kitring theme from the WordPress installation to eliminate the flaw.
  • Restrict PHP include paths and file permissions on the server to prevent arbitrary file inclusion and enforce principle of least privilege on application files.

Generated by OpenCVE AI on April 30, 2026 at 08:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-28305 Cross-Site Request Forgery (CSRF) vulnerability in Dourou Cookie Warning allows Cross Site Request Forgery. This issue affects Cookie Warning: from n/a through 1.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dourou Cookie Warning allows Cross Site Request Forgery. This issue affects Cookie Warning: from n/a through 1.3. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dahz Kitring kitring allows PHP Local File Inclusion.This issue affects Kitring: from n/a through <= 2.8.
Title WordPress Cookie Warning plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability WordPress Kitring Theme <= 2.8 - Local File Inclusion Vulnerability
Weaknesses CWE-352 CWE-98
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Thu, 21 Aug 2025 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Cross-Site Request Forgery (CSRF) vulnerability in Dourou Cookie Warning allows Cross Site Request Forgery. This issue affects Cookie Warning: from n/a through 1.3.
Title WordPress Cookie Warning plugin <= 1.3 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:04.364Z

Reserved: 2025-06-04T15:44:32.253Z

Link: CVE-2025-49426

cve-icon Vulnrichment

Updated: 2025-08-20T18:02:15.464Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:37.340

Modified: 2026-04-23T15:31:39.793

Link: CVE-2025-49426

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:30:06Z

Weaknesses