Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Critique critique allows PHP Local File Inclusion.This issue affects Critique: from n/a through <= 1.17.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Critique WordPress theme contains a Local File Inclusion vulnerability (CWE‑98) that allows an attacker to control the filename in an include/require statement. By manipulating the request, an attacker could read arbitrary local files or execute code placed within them, compromising the confidentiality, integrity, or availability of the web application.

Affected Systems

Axiom Themes’ Critique theme is affected in all releases from the initial version up to and including version 1.17. Users running this theme should verify their installed version and update to 1.18 or later if available.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% indicates a low probability of current exploitation. The issue is not listed in the CISA KEV catalog. The likely attack vector involves sending a crafted HTTP request to the theme’s PHP entry point that triggers the vulnerable include. Even with low usage probability, the potential impact warrants prompt action.

Generated by OpenCVE AI on April 29, 2026 at 13:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Critique theme to the latest version (1.18 or newer) which removes the vulnerable include logic.
  • If an upgrade is not immediately available, disable or remove the Critique theme and switch to a vetted alternative to eliminate the attack surface.
  • Configure a web application firewall or file inclusion filter to block attempts to access or include local files through the theme’s entry points.

Generated by OpenCVE AI on April 29, 2026 at 13:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes critique
CPEs cpe:2.3:a:axiomthemes:critique:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes critique

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Critique critique allows PHP Local File Inclusion.This issue affects Critique: from n/a through <= 1.17.
Title WordPress Critique theme <= 1.17 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Critique
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:15:37.241Z

Reserved: 2025-09-06T04:44:31.841Z

Link: CVE-2025-58923

cve-icon Vulnrichment

Updated: 2025-12-18T18:46:05.009Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:59.607

Modified: 2026-01-20T15:17:10.520

Link: CVE-2025-58923

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses