Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.7.1.
Published: 2025-06-17
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CozyStay theme implements user‑supplied file names in include or require statements, which can lead to a local file inclusion vulnerability. The description states that an attacker can supply arbitrary file names that are then included by PHP; this could enable the execution of malicious PHP code on the server, although remote code execution is not explicitly confirmed in the advisory.

Affected Systems

All installations of the CozyStay theme by LoftOcean that are version 1.7.0 or earlier, i.e., before the 1.7.1 release, are affected. WordPress sites that use this theme without upgrading remain vulnerable.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, yet the EPSS score of less than 1% indicates that exploitation is presently unlikely and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to require an attacker to supply a filename via a query parameter or form input that the theme concatenates into an include statement; successful exploitation would need the attacker to have the ability to write a malicious PHP file into a directory accessed by the web server and then trigger the vulnerable inclusion. While active exploitation is low at this time, the potential impact remains significant.

Generated by OpenCVE AI on April 30, 2026 at 17:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CozyStay theme to version 1.7.1 or newer to eliminate the unsanitized filename logic.
  • If an upgrade is not immediately possible, review any areas of the theme that construct file paths from user input and implement strict validation against a whitelist of allowed filenames or directories.
  • Restrict file system permissions so that directories used by the theme are not writable by unprivileged web‑server users, preventing arbitrary file writes.
  • Monitor WordPress error logs and filesystem access logs for indications of attempted file inclusion or unexpected file reads to detect exploitation attempts.

Generated by OpenCVE AI on April 30, 2026 at 17:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18523 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.7.1.
Title WordPress CozyStay < 1.7.1 - Local File Inclusion Vulnerability WordPress CozyStay theme < 1.7.1 - Local File Inclusion vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Jun 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay allows PHP Local File Inclusion. This issue affects CozyStay: from n/a through n/a.
Title WordPress CozyStay < 1.7.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:05.667Z

Reserved: 2025-06-06T10:33:37.436Z

Link: CVE-2025-49508

cve-icon Vulnrichment

Updated: 2025-06-17T17:31:44.214Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T15:15:49.720

Modified: 2026-04-23T15:31:43.090

Link: CVE-2025-49508

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:45:26Z

Weaknesses