Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.6.3.
Published: 2025-08-14
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The report identifies a flaw in the WordPress Unicamp theme where an attacker can control the filename supplied to PHP include/require statements. This improper handling of user input, classified as CWE‑98, results in a local file inclusion vulnerability. The impact includes the potential to read sensitive files on the server such as configuration files, passwords, or backups, and in some contexts may lead to remote code execution if the included file contains executable PHP code. The vulnerability is confined to the theme’s internal code and does not directly affect WordPress core or other plugins.

Affected Systems

The flaw affects any installation that uses the Unicamp theme from ThemeMove for WordPress, specifically all releases from the earliest available version up to and including version 2.6.3. No other vendor or product versions are mentioned as vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of less than 1% shows that, while the vulnerability is serious, the likelihood of exploitation remains low at present. It is not listed in the CISA KEV catalog. Exploitation typically requires the attacker to be able to influence the filename passed to the theme’s include/require logic, which may be possible through crafted URLs or form inputs. The attack vector is therefore local file inclusion, with potential remote code execution if the attacker can include a writable file that contains malicious code.

Generated by OpenCVE AI on April 30, 2026 at 03:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Unicamp theme to the latest released version that resolves the inclusion issue.
  • If an upgrade is not immediately feasible, remove or neutralize any template files that perform unsanitized includes, or lock the include paths to the theme’s directory only.
  • As a temporary workaround, restrict PHP file execution permissions for files outside the theme directory and consider blocking direct access to the plugin’s upload directory via .htaccess or equivalent server configuration.

Generated by OpenCVE AI on April 30, 2026 at 03:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-24693 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.6.3.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 04 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove unicamp
CPEs cpe:2.3:a:thememove:unicamp:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove unicamp

Thu, 14 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 14 Aug 2025 10:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3.
Title WordPress Unicamp Theme <= 2.6.3 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Thememove Unicamp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:34.923Z

Reserved: 2025-07-28T10:56:09.193Z

Link: CVE-2025-54701

cve-icon Vulnrichment

Updated: 2025-08-14T14:43:48.055Z

cve-icon NVD

Status : Modified

Published: 2025-08-14T11:15:52.213

Modified: 2026-04-23T15:32:51.157

Link: CVE-2025-54701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:30:27Z

Weaknesses