Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Paragon paragon allows PHP Local File Inclusion.This issue affects Paragon: from n/a through <= 1.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Paragon WordPress theme, versions 1.1 and earlier, contains an improper control of filename in an include/require statement. This flaw permits an attacker to manipulate the file path used by the PHP include, enabling the inclusion of arbitrary local files. The attacker could read sensitive configuration files or execute code if a malicious script is included, potentially compromising site confidentiality and availability.

Affected Systems

Any WordPress installation running AxiomThemes Paragon theme version 1.1 or earlier is affected. The vulnerability is present in every release from the initial release up to and including 1.1.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity. The EPSS score of fewer than 1% shows a low probability of exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, a likely attack vector involves passing a user‑controlled value to the include statement, either via a front‑end request or through administrative input. If the include statement causes execution of the file, remote code execution could result. The risk remains high if exploitation occurs, especially on publicly accessible sites.

Generated by OpenCVE AI on April 29, 2026 at 15:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Paragon theme to the latest release that addresses the LFI flaw.
  • If an upgrade is not immediately possible, remove or comment out any PHP include/require logic that accepts user‑supplied filenames.
  • Apply input validation to ensure only whitelisted, absolute file paths are processed, and enforce strict file permission restrictions to prevent sensitive files from being read or executed.

Generated by OpenCVE AI on April 29, 2026 at 15:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes paragon
CPEs cpe:2.3:a:axiomthemes:paragon:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes paragon

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Paragon paragon allows PHP Local File Inclusion.This issue affects Paragon: from n/a through <= 1.1.
Title WordPress Paragon theme <= 1.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Paragon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:13:46.977Z

Reserved: 2025-08-27T16:19:27.209Z

Link: CVE-2025-58225

cve-icon Vulnrichment

Updated: 2025-12-18T18:58:03.803Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:56.707

Modified: 2026-01-20T15:17:05.633

Link: CVE-2025-58225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses