Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Emberlyn emberlyn allows PHP Local File Inclusion.This issue affects Emberlyn: from n/a through <= 1.3.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper file name validation in PHP include/require statements allows local file inclusion. An attacker could supply a crafted path and read arbitrary files on the web server, leaking credentials or other confidential data. The weakness is identified as CWE-98.

Affected Systems

AncoraThemes Emberlyn theme, versions up through 1.3.1.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA KEV. It can be exploited by providing a malicious file path to the vulnerable include operation, likely requiring only a crafted URL or form input. No official solution is published yet, so applying a later version or mitigating input handling is recommended.

Generated by OpenCVE AI on April 29, 2026 at 13:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Emberlyn theme to the latest version (>=1.3.2).
  • Modify the theme so that only whitelisted, absolute file paths are passed to include/require functions.
  • Disable PHP directives that enable remote file inclusion by setting `allow_url_include` and `allow_url_fopen` to `Off` in php.ini and ensure file permissions restrict access to sensitive directories.

Generated by OpenCVE AI on April 29, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Emberlyn emberlyn allows PHP Local File Inclusion.This issue affects Emberlyn: from n/a through <= 1.3.1.
Title WordPress Emberlyn theme <= 1.3.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:14:40.863Z

Reserved: 2025-06-30T10:46:13.037Z

Link: CVE-2025-53431

cve-icon Vulnrichment

Updated: 2025-12-18T19:19:08.276Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:53.303

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:30:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')