Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Frame frame allows PHP Local File Inclusion.This issue affects Frame: from n/a through <= 2.4.0.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in PHP, allowing local file inclusion. This flaw can be leveraged by an attacker to include arbitrary files, potentially leading to execution of malicious code or disclosure of sensitive information. The weakness is classified as CWE-98.

Affected Systems

AncoraThemes Frame theme from any version through 2.4.0. The issue affects WordPress sites that are running this theme version, regardless of the WordPress core version.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity condition for exploitation. The EPSS score of less than 1% shows a low probability of being actively targeted, but the threat is still present. Because the vulnerability is not listed in the CISA KEV catalog, it is not currently known to have widespread exploitation. Likely attack vectors involve a crafted HTTP request that manipulates the filename supplied to an include or require statement.

Generated by OpenCVE AI on April 29, 2026 at 13:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AncoraThemes Frame theme to a version 2.4.1 or newer that mitigates the local file inclusion flaw.
  • Remove or refactor any dynamic include statements in the theme code to use a strict whitelist of approved files.
  • Restrict file permissions on the WordPress installation so that only the web server user can write to the theme directory and disallow execution of arbitrary files in it.
  • Enable logging of file inclusion attempts and monitor logs for suspicious activity.

Generated by OpenCVE AI on April 29, 2026 at 13:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes frame
CPEs cpe:2.3:a:ancorathemes:frame:*:*:*:*:*:wordpress:*:*
Vendors & Products Ancorathemes
Ancorathemes frame

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Frame frame allows PHP Local File Inclusion.This issue affects Frame: from n/a through <= 2.4.0.
Title WordPress Frame theme <= 2.4.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Frame
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:15:10.485Z

Reserved: 2025-09-05T10:50:39.329Z

Link: CVE-2025-58899

cve-icon Vulnrichment

Updated: 2025-12-18T18:56:42.868Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:59.210

Modified: 2026-01-20T15:17:09.717

Link: CVE-2025-58899

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses