Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.7.
Published: 2025-08-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper handling of the filename supplied to PHP include/require calls, classified as CWE-98. This flaw allows an attacker to influence which files are read by the server, leading to the possibility of reading sensitive local files or executing arbitrary PHP code if a malicious file can be supplied. The impact includes loss of confidentiality and potential compromise of integrity and availability. The CVSS score of 8.1 indicates a high severity risk. The EPSS score of less than 1% suggests that observed exploitation activity is currently low and the vulnerability is not listed in the CISA KEV catalog.

Affected Systems

WordPress sites that have installed the Urna theme by thembay, specifically versions from the earliest released build through version 2.5.7 inclusive. Any site that remains on these versions is potentially vulnerable. Newer releases are not listed as affected by the CVE data, but the absence of an explicit fix in the CVE requires sites to check for an updated theme from the vendor.

Risk and Exploitability

The CVSS of 8.1 classifies the flaw as high severity, while an EPSS score below 1% indicates a relatively low likelihood of current exploitation. The attack vector is inferred to be remote: an unauthenticated adversary can trigger inclusion by providing a crafted file path through an HTTP request, assuming the theme does not sanitize the input. Successful exploitation could read arbitrary server files and, if a PHP payload can be delivered, lead to remote code execution. The vulnerability is not listed in the CISA KEV catalog, so it has not yet been identified as a known exploited vulnerability by the U.S. government.

Generated by OpenCVE AI on May 2, 2026 at 08:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Urna theme to the latest released version that is newer than 2.5.7, verifying that the upgrade contains the necessary input‑validation fixes.
  • If an upgrade cannot be performed immediately, edit the theme’s PHP files to strictly validate any filenames supplied before inclusion, restricting the include path to a known safe directory and rejecting any attempt to reference files outside that directory.
  • Set the PHP directive 'allow_url_include' to Off in php.ini to prevent inclusion of external URLs, and consider implementing .htaccess rules or equivalent server‑side restrictions to block direct access to files that could be included by the theme.

Generated by OpenCVE AI on May 2, 2026 at 08:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24705 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.7.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 14 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7.
Title WordPress Urna Theme <= 2.5.7 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.965Z

Reserved: 2025-07-28T10:55:57.300Z

Link: CVE-2025-54689

cve-icon Vulnrichment

Updated: 2025-08-14T18:40:33.105Z

cve-icon NVD

Status : Deferred

Published: 2025-08-14T11:15:48.783

Modified: 2026-04-23T15:32:49.760

Link: CVE-2025-54689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T08:30:26Z

Weaknesses