Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion.

This issue affects Crafti: from n/a through 1.12.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Crafti theme for WordPress includes a vulnerability where the filename used in PHP include/require statements is not properly validated. This improper control allows an attacker to cause the theme to include arbitrary local files, which can expose sensitive data and may enable the execution of malicious code if the attacker can write to a target file. The weakness is classified as CWE‑98 and can be leveraged by a user who can influence the inclusion path, potentially leading to a local file inclusion scenario.

Affected Systems

WordPress sites that use the Axiomthemes Crafti theme version 1.12 or earlier are affected. The vulnerability applies to any installation that has the Crafti theme active and includes the legacy include/require logic.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity and suggests that exploitation is likely if an attacker can influence the inclusion path. The EPSS score is not available, so the exact exploitation probability is unknown, but the lack of KEV listing does not diminish the risk. The most probable attack vector is a local file inclusion attack that an attacker can trigger by manipulating a request that reaches the theme’s include logic, either by direct input or by exploiting another component that passes unsanitized parameters.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Crafti theme to a version newer than 1.12 that contains a fix for this LFI issue.
  • If a newer version is not yet available, remove or disable the Crafti theme from the WordPress installation to eliminate the vulnerable code path.
  • Deploy a web application firewall rule that blocks attempts to include files from the Crafti theme directory or any subdirectories controlled by the theme.

Generated by OpenCVE AI on June 2, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Crafti allows PHP Local File Inclusion. This issue affects Crafti: from n/a through 1.12.
Title WordPress Crafti theme <= 1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T12:11:22.435Z

Reserved: 2025-09-03T12:43:12.583Z

Link: CVE-2025-58705

cve-icon Vulnrichment

Updated: 2026-06-02T12:11:16.357Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T12:16:16.743

Modified: 2026-06-02T13:03:31.153

Link: CVE-2025-58705

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T12:30:08Z

Weaknesses