Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Rally theme for WordPress stems from improper control of the filename used in PHP’s include/require statement. The flaw can allow an attacker to specify arbitrary file paths, resulting in Local File Inclusion. It is inferred from the description that if the attacker can cause a writable file to be included, the included file may execute as code, providing a path to remote code execution. The weakness is identified as CWE‑98.

Affected Systems

The issue affects the Rally theme distributed by axiomthemes, from its first release through version 1.1. Any WordPress site that has installed any of these versions is potentially vulnerable. The vulnerability is contained within the theme; no specific WordPress core versions are implicated.

Risk and Exploitability

The CVSS score of 8.1 marks the issue as high severity, but the EPSS score of <1% indicates a very low probability that a scriptable exploit is actively used in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting limited public exploitation. It is inferred that the likely attack vector is Local File Inclusion, and remote code execution would depend on the presence of writable files or chained exploits to inject malicious code.

Generated by OpenCVE AI on April 29, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Rally theme to a version newer than 1.1 once an official patch is released by axiomthemes.
  • If a patch is not yet available, completely remove or deactivate the Rally theme to eliminate the vulnerable code paths.
  • Restrict file system permissions on the WordPress installation so that the web server cannot write arbitrary files, thereby reducing the risk of an attacker creating a malicious include.
  • Where the theme uses user‑controlled values as include paths, implement strict input validation or escape mechanisms to ensure only allowed file names are processed, addressing the underlying CWE‑98 weakness.

Generated by OpenCVE AI on April 29, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes rally
CPEs cpe:2.3:a:axiomthemes:rally:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes rally

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.
Title WordPress Rally theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Rally
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:17:14.414Z

Reserved: 2025-06-30T10:46:21.828Z

Link: CVE-2025-53448

cve-icon Vulnrichment

Updated: 2025-12-18T19:01:16.850Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:55.270

Modified: 2026-01-20T15:16:58.050

Link: CVE-2025-53448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses