Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through < 7.5.1.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper handling of filenames in include/require statements, allowing local file inclusion. An attacker can supply crafted paths to read or code‑execute arbitrary files on the server, which may lead to disclosure of sensitive data or full system compromise.

Affected Systems

TieLabs Jannah WordPress theme, all releases before version 7.5.1, regardless of WordPress core version.

Risk and Exploitability

The CVSS score is 8.1, indicating high severity, while the EPSS score of less than 1% suggests a low but non‑zero exploitation probability. The vulnerability is not listed in CISA KEV. An attacker can exploit the flaw by manipulating the filename input that the theme passes to PHP’s include/require, potentially executing local code.

Generated by OpenCVE AI on April 30, 2026 at 07:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jannah theme to version 7.5.1 or later. This patch removes the insecure include handling and validates filenames properly.
  • Disable PHP functions that could be abused for file inclusion by setting "allow_url_include" to 0 in php.ini or via .htaccess, and enforce "open_basedir" to restrict file access.
  • Review any custom code or plugin hooks that modify the include path within the theme and remove or sanitize them to prevent future LFI attempts.

Generated by OpenCVE AI on April 30, 2026 at 07:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25989 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah allows PHP Local File Inclusion. This issue affects Jannah: from n/a through 7.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah allows PHP Local File Inclusion. This issue affects Jannah: from n/a through 7.4.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through < 7.5.1.
Title WordPress Jannah Theme <= 7.4.1 - Local File Inclusion Vulnerability WordPress Jannah Theme < 7.5.1 - Local File Inclusion Vulnerability
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress
Vendors & Products Tielabs
Tielabs jannah
Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah allows PHP Local File Inclusion. This issue affects Jannah: from n/a through 7.4.1.
Title WordPress Jannah Theme <= 7.4.1 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Tielabs Jannah
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:24.072Z

Reserved: 2025-06-27T11:59:29.325Z

Link: CVE-2025-53334

cve-icon Vulnrichment

Updated: 2025-08-28T14:08:18.285Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:04.120

Modified: 2026-04-23T15:32:30.780

Link: CVE-2025-53334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T07:45:26Z

Weaknesses