Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5.
Published: 2025-06-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zita theme contains PHP code that dynamically includes files based on user-supplied input without validating the filename. This flaw allows an attacker to supply a crafted filename that causes the server to include an arbitrary local file, potentially leading to code execution or disclosure of sensitive data. The vulnerability is classified as high severity, with a CVSS score of 8.1.

Affected Systems

The issue affects any installation of the Zita theme from earlier versions through 1.6.5 on WordPress. All WordPress sites running the theme, including the free distribution from themehunk, are potentially impacted.

Risk and Exploitability

The CVSS score of 8.1 reflects a significant risk, while the EPSS score of less than 1% indicates that real-world exploitation is currently unlikely. The vulnerability is not listed in CISA's KEV catalog, suggesting no publicly known exploitation scripts. Based on the description, the likely attack vector is a local file inclusion triggered by an unsanitized parameter in the theme; an attacker can craft requests that cause the server to read or execute arbitrary local files, potentially leading to injection or remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 10:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Zita theme to version 1.6.6 or newer, which removes the insecure inclusion logic.
  • Modify server configuration or the theme’s code to limit the directories that can be included and validate all filenames against a whitelist before calling include/require.
  • Deploy a web application firewall or similar controls to detect and block suspicious file inclusion attempts.

Generated by OpenCVE AI on April 30, 2026 at 10:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19310 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 09 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Themehunk
Themehunk zita
CPEs cpe:2.3:a:themehunk:zita:*:*:*:*:free:wordpress:*:*
Vendors & Products Themehunk
Themehunk zita

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.
Title WordPress Zita theme <= 1.6.5 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themehunk Zita
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:27:45.464Z

Reserved: 2025-06-19T10:03:36.791Z

Link: CVE-2025-52816

cve-icon Vulnrichment

Updated: 2025-06-27T13:11:28.138Z

cve-icon NVD

Status : Modified

Published: 2025-06-27T12:15:43.610

Modified: 2026-04-23T15:32:13.680

Link: CVE-2025-52816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:45:26Z

Weaknesses