Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeuniver Glamer glamer allows PHP Local File Inclusion.This issue affects Glamer: from n/a through <= 1.0.2.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress Glamer theme versions up to 1.0.2 contain an improper control of the filename used in a PHP include statement, allowing attackers to trigger local file inclusion. The flaw, identified as CWE‑98, can enable the disclosure of arbitrary files residing on the web server, including configuration files, credentials, and other sensitive resources that the web process can read.

Affected Systems

The vulnerability affects the Glamer theme supplied by themeuniver, all releases through and including version 1.0.2 of the WordPress plugin.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, which further indicates it is not a widely weaponized exploit. Based on the description, it is inferred that the attack vector would involve a remote web request that triggers the vulnerable include logic, allowing an attacker to read local files provided the web user has sufficient file system permissions. The impact is limited to confidentiality, as the flaw does not directly threaten data integrity or availability.

Generated by OpenCVE AI on April 30, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Glamer theme to the latest release (any version newer than 1.0.2) which removes the vulnerable include logic.
  • If an upgrade is not immediately possible, deactivate the Glamer theme or replace it with a non‑vulnerable alternative until the patch is applied.
  • Restrict file system permissions for the web server and tighten PHP settings (disable allow_url_include, limit include_path) to prevent unintended file reads.

Generated by OpenCVE AI on April 30, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-26004 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeUniver Glamer allows PHP Local File Inclusion. This issue affects Glamer: from n/a through 1.0.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeUniver Glamer allows PHP Local File Inclusion. This issue affects Glamer: from n/a through 1.0.2. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeuniver Glamer glamer allows PHP Local File Inclusion.This issue affects Glamer: from n/a through <= 1.0.2.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeUniver Glamer allows PHP Local File Inclusion. This issue affects Glamer: from n/a through 1.0.2.
Title WordPress Glamer Theme <= 1.0.2 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:20.911Z

Reserved: 2025-06-27T10:27:53.889Z

Link: CVE-2025-53216

cve-icon Vulnrichment

Updated: 2025-08-28T18:41:24.508Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:00.913

Modified: 2026-04-23T15:32:18.483

Link: CVE-2025-53216

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses