Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Takeout takeout allows PHP Local File Inclusion.This issue affects Takeout: from n/a through <= 1.3.0.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the AncoraThemes Takeout WordPress theme stems from an improper control of filenames used in PHP include/require statements, a flaw that aligns with CWE‑98. An attacker can manipulate a filename parameter to cause the server to read arbitrary local files. While this does not provide direct remote code execution, the exposed data—such as configuration files or credentials—can enable further attacks.

Affected Systems

All installations of the Takeout theme up to and including version 1.3.0 are affected. Users whose WordPress sites run an unpatched Takeout theme may be vulnerable to this local file inclusion flaw.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, but the EPSS score of less than 1% indicates a low overall likelihood of exploitation. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector is via crafted HTTP requests that supply a malicious filename to the vulnerable include/require endpoint, allowing unauthenticated users to read arbitrary server files.

Generated by OpenCVE AI on April 29, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Takeout theme to a version that removes the vulnerable include logic.
  • Validate or sanitize any user‑supplied filename before including; restrict to a whitelist of safe paths.
  • Deploy a web application firewall rule that blocks directory traversal and null‑byte injection attempts targeting the include/require endpoint.

Generated by OpenCVE AI on April 29, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 16 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Ancorathemes
Ancorathemes takeout
CPEs cpe:2.3:a:ancorathemes:takeout:*:*:*:*:*:wordpress:*:*
Vendors & Products Ancorathemes
Ancorathemes takeout

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Takeout takeout allows PHP Local File Inclusion.This issue affects Takeout: from n/a through <= 1.3.0.
Title WordPress Takeout theme <= 1.3.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Ancorathemes Takeout
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:15:28.430Z

Reserved: 2025-09-05T10:50:39.330Z

Link: CVE-2025-58901

cve-icon Vulnrichment

Updated: 2025-12-18T18:55:34.643Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:59.477

Modified: 2026-01-20T15:17:09.993

Link: CVE-2025-58901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses