Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves improper control of the filename used in PHP include/require statements within the Playful theme. An attacker who can influence the filename can cause the theme to read arbitrary local files, potentially exposing sensitive configuration files or, if the included file contains executable code, leading to local code execution. The primary impact is local file inclusion, which can compromise confidentiality and integrity of the site.

Affected Systems

AncoraThemes’ Playful WordPress theme is impacted. All installations of the theme version 1.19.0 or earlier are vulnerable. Any WordPress site running this theme within the stated version range is at risk.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. The EPSS score of less than 1% suggests that exploitation likelihood is currently low, and the vulnerability is not in the CISA KEV catalog. Attacks require an attacker to supply a crafted request that triggers the vulnerable include logic. While there is no known public exploit at this time, the vulnerability could read arbitrary files and, based on the description, it is inferred that the flaw might allow code execution if an attacker can include a file containing PHP code. The risk remains theoretical until a proof‑of‑concept materializes.

Generated by OpenCVE AI on April 30, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Playful theme to a version newer than 1.19.0 from AncoraThemes.
  • If no updated version exists, disable or remove the Playful theme from the WordPress installation to eliminate the vulnerable code path.
  • If a suitable upgrade or removal is not possible, contact AncoraThemes for a patch or consider migrating to an alternative theme.

Generated by OpenCVE AI on April 30, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes playful
CPEs cpe:2.3:a:ancorathemes:playful:*:*:*:*:*:wordpress:*:*
Vendors & Products Ancorathemes
Ancorathemes playful

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0.
Title WordPress Playful theme <= 1.19.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Playful
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.156Z

Reserved: 2025-09-05T10:50:25.874Z

Link: CVE-2025-58890

cve-icon Vulnrichment

Updated: 2025-12-18T18:09:28.471Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:58.167

Modified: 2026-04-27T19:16:15.893

Link: CVE-2025-58890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses