Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion.

This issue affects Fermentio: from n/a through 1.5.0.
Published: 2026-06-02
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename that is passed to a PHP include/require statement within the Axiomthemes Fermentio WordPress theme. An attacker who can influence the path used in this statement can cause local files to be read or PHP code to be executed under the web server’s context. This flaw allows the attacker to read configuration files, credentials, or other sensitive data stored on the server, and potentially inject malicious code that could be executed thereafter, thereby compromising the confidentiality, integrity, and availability of the affected site.

Affected Systems

All installations of the Fermentio theme released by Axiomthemes up to and including version 1.5.0 are impacted. This includes any WordPress site that has the theme applied without a later, fixed version. No other products or vendor components are mentioned as affected.

Risk and Exploitability

The CVSS score of 8.1 categorizes this flaw as high severity. The EPSS score is not available, so the current exploitation probability remains unknown, but the absence of an EPSS does not imply the flaw is unexploited; the flaw is also not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker could likely exploit this vulnerability through crafted input to the theme’s include logic, potentially via a URL parameter or form submission that the theme processes without proper validation. Once exploited, the attacker may read any file on the server or inject executable PHP code, leading to full site compromise.

Generated by OpenCVE AI on June 2, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Fermentio theme to the latest released version that contains the LFI fix.
  • Modify any custom code that performs includes in the theme to use a hard‑coded, validated path rather than user input, ensuring no unfiltered filenames are processed.
  • If an immediate theme update cannot be performed, restrict the web root so that the directory tree used by the theme’s includes is not accessible to external users, for example by setting an open_basedir limit or adding an .htaccess rule to block path traversal attempts.

Generated by OpenCVE AI on June 2, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Axiomthemes Fermentio allows PHP Local File Inclusion. This issue affects Fermentio: from n/a through 1.5.0.
Title WordPress Fermentio theme <= 1.5.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-02T15:15:14.184Z

Reserved: 2025-09-05T10:50:39.329Z

Link: CVE-2025-58897

cve-icon Vulnrichment

Updated: 2026-06-02T15:15:10.695Z

cve-icon NVD

Status : Deferred

Published: 2026-06-02T14:16:35.507

Modified: 2026-06-02T14:43:49.920

Link: CVE-2025-58897

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T16:00:17Z

Weaknesses