Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker may exploit a flaw in the Alright theme that allows inclusion of local files on a server, which can result in disclosure of sensitive information or in some cases execution of arbitrary PHP code. The weakness is a classic improperly controlled include/require operation, classified as CWE-98, and has the potential to compromise both data confidentiality and system integrity if an attacker can supply an attacker‑controlled path.

Affected Systems

The vulnerability exists in WordPress themes supplied by axiomthemes called Alright, affecting all versions from the earliest releases through version 1.6.1. Users running the Alright theme with these or earlier releases are at risk.

Risk and Exploitability

The CVSS evaluation of 8.1 indicates high severity. The EPSS score of less than 1% suggests that, at present, exploitation attempts are rare, and the vulnerability is not listed in the CISA KEV catalog. Likely attack requires access to the WordPress installation’s include mechanisms, often via a crafted request within the application. While the vector appears local, the flaw could be leveraged to achieve remote code execution if an attacker can supply an arbitrary PHP file from the server or trigger the inclusion of a script that is already present in the environment.

Generated by OpenCVE AI on April 29, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Alright theme to the latest available version, which removes the include vulnerability
  • If an update is not immediately possible, disable or uninstall the Alright theme to prevent the flaw from being exploitable
  • Configure the PHP environment to restrict file inclusions by setting the include_path to a safe directory, forcing directory restrictions, and disabling allow_url_include via php.ini

Generated by OpenCVE AI on April 29, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes alright
CPEs cpe:2.3:a:axiomthemes:alright:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes alright

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1.
Title WordPress Alright theme <= 1.6.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Alright
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.248Z

Reserved: 2025-09-05T10:50:39.328Z

Link: CVE-2025-58893

cve-icon Vulnrichment

Updated: 2025-12-18T17:07:01.854Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:58.553

Modified: 2026-04-27T19:16:16.287

Link: CVE-2025-58893

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses