Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Saga magazine-saga allows PHP Local File Inclusion.This issue affects Magazine Saga: from n/a through <= 1.2.7.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw in the Magazine Saga theme originates from an unfiltered include/require statement that directly uses file names supplied by users. Since the path is not validated, an attacker can specify any readable file on the server, exposing configuration, code, or other sensitive data. This vulnerability is defined as a PHP Local File Inclusion and is catalogued as CWE‑98.

Affected Systems

WordPress sites that install the unfoldwp Magazine Saga theme version 1.2.7 or earlier are affected. Any site running a pre‑1.2.7 theme version is potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.1 marks the issue as high severity. The EPSS score of less than 1% indicates that exploitation is considered unlikely at the time of assessment, and the vulnerability is not included in the CISA KEV catalog. The inferred attack vector is local: an attacker would need to deliver a crafted include path via the theme’s configuration or through another vulnerability that permits reading or including arbitrary files. Successful exploitation would let an attacker read any file the web process can access, thereby exposing confidential information or undermining site integrity.

Generated by OpenCVE AI on May 1, 2026 at 06:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Magazine Saga theme to version 1.2.8 or later, which validates the include path before use.
  • If an immediate upgrade is not possible, edit the theme’s PHP files to sanitize the file path, restricting inclusion to a known set of safe files or directories.
  • Limit the capabilities of users who can edit theme settings, ensuring only the least privileged accounts can supply file paths.

Generated by OpenCVE AI on May 1, 2026 at 06:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25999 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Saga allows PHP Local File Inclusion. This issue affects Magazine Saga: from n/a through 1.2.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Saga allows PHP Local File Inclusion. This issue affects Magazine Saga: from n/a through 1.2.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in unfoldwp Magazine Saga magazine-saga allows PHP Local File Inclusion.This issue affects Magazine Saga: from n/a through <= 1.2.7.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Saga allows PHP Local File Inclusion. This issue affects Magazine Saga: from n/a through 1.2.7.
Title WordPress Magazine Saga Theme <= 1.2.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:21.507Z

Reserved: 2025-06-27T10:28:03.500Z

Link: CVE-2025-53227

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:01.997

Modified: 2026-04-23T15:32:19.647

Link: CVE-2025-53227

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T06:30:10Z

Weaknesses