Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.9.
Published: 2025-06-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Diza theme for WordPress contains a flaw where the filename used in an include or require statement is not properly controlled, allowing attackers to specify arbitrary local files for inclusion. This Local File Inclusion (LFI) vulnerability can expose sensitive server data and, if an attacker provides a file that contains PHP code, could lead to remote code execution. The weakness corresponds to CWE‑98.

Affected Systems

The vulnerability affects the Diza theme provided by thembay. All releases from the initial version up to and including version 1.3.9 are impacted. Site operators using any of these versions cannot be guaranteed safe.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests the exploitation probability is currently low. This vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can trigger the flaw by sending a crafted URL or form input that causes the theme to include an unintended file. Successful exploitation would likely not require authentication, but the resulting remote code execution would depend on whether the included file contains executable PHP code and the server allows it to run.

Generated by OpenCVE AI on April 30, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Diza theme to a version newer than 1.3.9 if an update is available
  • If an immediate update is not available, limit the theme’s ability to execute PHP files by adding appropriate directives to .htaccess or php.ini so that the theme directory does not allow execution of uploaded or included PHP code
  • Implement input validation in the theme’s PHP code to ensure that any filename passed to include or require is strictly constrained to the intended set of files

Generated by OpenCVE AI on April 30, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19299 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.9.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.9. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.9.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Jun 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.9.
Title WordPress Diza theme <= 1.3.9 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:17.625Z

Reserved: 2025-06-19T10:02:39.647Z

Link: CVE-2025-52729

cve-icon Vulnrichment

Updated: 2025-06-27T13:10:03.939Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:41.430

Modified: 2026-04-23T15:32:05.903

Link: CVE-2025-52729

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:30:26Z

Weaknesses