Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User case-theme-user allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a through < 1.0.4.
Published: 2026-04-10
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion that may enable remote code execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from improper control of a filename used in a PHP include or require statement within the Case Theme User plugin. An attacker could supply a crafted path that causes the plugin to include an arbitrary local file on the server, allowing reading of sensitive files, file disclosure, or execution of PHP code if the included file contains malicious code. This weakness aligns with CWE‑98.

Affected Systems

WordPress sites that have the Case Theme User plugin installed with a version earlier than 1.0.4 are affected. The plugin is distributed by Case Themes under the product name Case Theme User; all releases prior to 1.0.4 are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity local file inclusion. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog. Based on the updated description, the likely attack vector is remote through the web interface, such as manipulating a query parameter that is passed to the include statement. The impact is confined to the web server’s filesystem, but successful exploitation could compromise the entire site or host.

Generated by OpenCVE AI on April 28, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest version of the Case Theme User plugin (v1.0.4 or newer).
  • If an immediate update is unavailable, restrict the plugin’s include paths to a safe directory and validate user input to prevent arbitrary file inclusion.
  • If the plugin is not required for site functionality, disable or uninstall it to remove the vulnerable code.

Generated by OpenCVE AI on April 28, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User case-theme-user allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a through < 1.0.4.
References

Mon, 13 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Case-themes
Case-themes case Theme User
Wordpress
Wordpress wordpress
Vendors & Products Case-themes
Case-themes case Theme User
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4.
Title WordPress Case Theme User < 1.0.4 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Case-themes Case Theme User
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:41.220Z

Reserved: 2025-06-06T11:19:06.151Z

Link: CVE-2025-5804

cve-icon Vulnrichment

Updated: 2026-04-13T18:05:59.768Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T14:16:25.450

Modified: 2026-04-24T18:00:32.033

Link: CVE-2025-5804

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:45:26Z

Weaknesses