Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Good Mood theme allows unvalidated use of a filename in a PHP include or require statement, enabling a local file inclusion flaw. If exploited, an attacker can read arbitrary files from the web server or potentially execute code if a writable or remotely fetchable file is included. This flaw aligns with CWE-98 and poses a high risk to confidentiality and integrity of the site’s files.

Affected Systems

The vulnerability affects the WordPress Good Mood theme from its initial version through any release up to and including 1.16. Users running WordPress with this theme must verify their installed theme version; any version of Good Mood 1.16 or earlier is impacted.

Risk and Exploitability

The CVSS score of 8.1 categorizes the flaw as High severity. The EPSS score of under 1% indicates that, as of the latest data, the probability of public exploitation is very low, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local, exploiting a path that the theme uses without proper validation; it may be triggered through a front‑end request that passes a file name to the theme. If an attacker can control the file name or access the theme’s hosting environment, the LFI could be abused to read backups, configuration files, or system binaries, potentially leading to further compromise.

Generated by OpenCVE AI on April 30, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WordPress Good Mood theme to version 1.17 or later to eliminate the vulnerable code path.
  • If an upgrade is not immediately possible, modify the theme’s file inclusion logic to enforce strict whitelisting of allowable files, rejecting any other paths.
  • As a temporary measure, configure the web server or WordPress permissions to restrict read and execution access to the wp‑content/themes directory, thereby limiting an attacker’s ability to read or include sensitive files.

Generated by OpenCVE AI on April 30, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes good Mood
CPEs cpe:2.3:a:axiomthemes:good_mood:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes good Mood

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.
Title WordPress Good Mood theme <= 1.16 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Good Mood
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.319Z

Reserved: 2025-09-05T10:50:39.329Z

Link: CVE-2025-58894

cve-icon Vulnrichment

Updated: 2025-12-18T17:06:01.127Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:58.687

Modified: 2026-04-27T19:16:16.420

Link: CVE-2025-58894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses