Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Greenorganic greenorganic allows PHP Local File Inclusion.This issue affects Greenorganic: from n/a through <= 2.45.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filenames in PHP include/require statements within the Greenorganic theme for WordPress. An attacker can use the flaw to include arbitrary local files, which may result in the execution of malicious PHP code and compromise the confidentiality, integrity, and availability of the affected web server. The weakness is identified as CWE-98.

Affected Systems

Products impacted are the ApusTheme Greenorganic WordPress theme with versions from the earliest released build through and including version 2.45. Any installation using one of these releases is susceptible.

Risk and Exploitability

The CVSS score of 8.1 classifies the issue as high severity, but the EPSS score of less than 1% indicates a low probability of active exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves manipulating a local include parameter within the theme’s code, which generally requires either local file access or authenticated administrative credentials. As the incident is a local file inclusion, external attackers would need a sufficient foothold on the server or a vulnerable input that can influence the include path.

Generated by OpenCVE AI on April 29, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Greenorganic theme to any version newer than 2.45 if available.
  • If an update is not possible, disable or remove the theme from the WordPress installation to prevent the vulnerable code path.
  • Enforce strict file permission checks and limit PHP execution rights on the directories that the theme can access.

Generated by OpenCVE AI on April 29, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Greenorganic greenorganic allows PHP Local File Inclusion.This issue affects Greenorganic: from n/a through <= 2.45.
Title WordPress Greenorganic theme <= 2.45 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:15:41.228Z

Reserved: 2025-06-30T10:46:13.038Z

Link: CVE-2025-53437

cve-icon Vulnrichment

Updated: 2025-12-18T19:21:59.814Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:15:54.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-53437

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:30:12Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')