Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca ireca allows PHP Local File Inclusion.This issue affects Ireca: from n/a through <= 1.8.5.
Published: 2025-08-28
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an improper control of filename for an include/require statement in PHP, allowing an attacker to include arbitrary local files on the server. The weakness is classified as CWE-98. An attacker who can trigger the vulnerable code path could read sensitive files, manipulate application behavior, and potentially execute remote code if combined with other flaws. The impact is high because the attacker gains read access to any file the web server can read and may be able to manipulate PHP execution flow. The CVSS score of 8.1 reflects this significant risk.

Affected Systems

WordPress installations that employ the ovatheme Ireca theme, version 1.8.5 or earlier. Any site running this theme within the specified version range is susceptible without a patch or update.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity vulnerability. Despite the low EPSS score (<1%) and the fact that it is not listed in the CISA KEV catalog, the potential exists for exploitation by attackers who can craft requests that trigger the vulnerable inclusion. The likely attack vector is via a web request that reaches the vulnerable PHP code, perhaps through query parameters or internal routing mechanisms, providing the attacker control over the filename. Given the local nature of the file inclusion, the threat is primarily to the application owner; widespread exploitation would require either authenticated access or additional exploitation steps to achieve remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 03:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ireca theme to a version newer than 1.8.5 (ideally the latest release).
  • If an upgrade is not available, remove or disable the theme to eliminate the vulnerable code path.
  • Restrict file inclusion by disabling PHP’s allow_url_include directive and by blocking direct access to the webroot via .htaccess or equivalent server configuration.
  • Monitor web server logs for anomalous include attempts or unexpected file access patterns.

Generated by OpenCVE AI on April 30, 2026 at 03:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25977 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca allows PHP Local File Inclusion. This issue affects Ireca: from n/a through 1.8.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca allows PHP Local File Inclusion. This issue affects Ireca: from n/a through 1.8.5. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca ireca allows PHP Local File Inclusion.This issue affects Ireca: from n/a through <= 1.8.5.
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 28 Aug 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 28 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca allows PHP Local File Inclusion. This issue affects Ireca: from n/a through 1.8.5.
Title WordPress Ireca Theme <= 1.8.5 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:35.860Z

Reserved: 2025-07-28T10:56:17.344Z

Link: CVE-2025-54716

cve-icon Vulnrichment

Updated: 2025-08-28T18:28:36.375Z

cve-icon NVD

Status : Deferred

Published: 2025-08-28T13:16:07.840

Modified: 2026-04-23T15:32:52.860

Link: CVE-2025-54716

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T03:15:26Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')