Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion.

This issue affects Confidant: from n/a through 1.4.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Local File Inclusion flaw identified as CWE-98. Improper validation of filename arguments in the Confidant WordPress theme allows an attacker to include arbitrary files on the web server. An attacker could potentially execute malicious PHP code or read sensitive files, which could lead to loss of confidentiality, integrity, or even remote code execution if vulnerable files are included.

Affected Systems

The Defect affects the Axiomthemes Confidant WordPress theme version 1.4 and all earlier releases. Users running any of those versions are at risk.

Risk and Exploitability

The CVSS score of 8.1 reflects high severity, while the EPSS score is not provided so the likelihood of exploitation is uncertain. The vulnerability is not listed in the CISA KEV catalog. Exploitation would most likely occur via a crafted web request that supplies a malicious file path to the theme’s include routine, giving the attacker local file access within the web server context.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Confidant theme to the latest version that addresses the Local File Inclusion issue.
  • If a patched version is not yet available, deactivate or remove the Confidant theme to eliminate the exposed code path.
  • Deploy a web application firewall rule or modify application code to restrict include parameters to a whitelisted set of safe paths.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Confidant allows PHP Local File Inclusion. This issue affects Confidant: from n/a through 1.4.
Title WordPress Confidant theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T12:11:51.486Z

Reserved: 2025-06-30T10:46:21.828Z

Link: CVE-2025-53440

cve-icon Vulnrichment

Updated: 2026-06-02T12:11:46.496Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T12:16:16.493

Modified: 2026-06-02T13:03:31.153

Link: CVE-2025-53440

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses