Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The affected WordPress theme contains an improper filename control for include/require statements, allowing attackers to include arbitrary local files. This weakness, identified as CWE‑98, can expose sensitive files and compromise the confidentiality and integrity of the site content.

Affected Systems

Versions of the Assembly theme released by Axiomthemes from the initial release through 1.1 are vulnerable. Any site using Assembly 1.1 or earlier is at risk.

Risk and Exploitability

The CVSS score of 8.1 classifies this issue as high severity, while the EPSS score of less than 1% indicates a low current threat likelihood. The vulnerability is not listed in the CISA KEV catalog, and no public exploits are documented. Based on the description, the likely attack vector involves remotely accessing the theme’s PHP code paths that perform file inclusion, requiring the attacker to supply a crafted filename parameter. The lack of explicit authentication requirements suggests that the flaw could be exploitable by unauthenticated users, but this is inferred rather than stated in the data.

Generated by OpenCVE AI on April 29, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Assembly theme to a fixed release from Axiomthemes immediately.
  • If upgrading is not possible, modify the theme’s code to enforce strict whitelist checks on include paths or to disallow relative paths entirely.
  • Implement server‑side restrictions (e.g., .htaccess or nginx rules) that block execution of arbitrary PHP files within the theme directory and prevent inclusion of local files through web requests.

Generated by OpenCVE AI on April 29, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes assembly
CPEs cpe:2.3:a:axiomthemes:assembly:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes assembly

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Assembly assembly allows PHP Local File Inclusion.This issue affects Assembly: from n/a through <= 1.1.
Title WordPress Assembly theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Assembly
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:17:03.269Z

Reserved: 2025-06-30T10:46:21.828Z

Link: CVE-2025-53447

cve-icon Vulnrichment

Updated: 2025-12-18T19:11:18.231Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:55.140

Modified: 2026-01-20T15:16:57.907

Link: CVE-2025-53447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses