Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Cerebrum cerebrum allows PHP Local File Inclusion.This issue affects Cerebrum: from n/a through <= 1.12.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Cerebrum WordPress theme contains an improper control of the filename used in a PHP include/require statement, enabling local file inclusion. An attacker who can influence the file path parameter may cause the theme to include arbitrary files on the server, leading to disclosure of sensitive data or execution of malicious code if the included file is processed as PHP. This flaw aligns with CWE‑98 and can compromise confidentiality, integrity, and potentially availability of the site.

Affected Systems

The vulnerability affects all released versions of the Cerebrum theme up to and including 1.12. Users running WordPress with this theme version are at risk, regardless of the underlying WordPress edition.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high severity. The EPSS score of <1% suggests a low probability of exploitation in the wild, and the flaw is not listed in CISA’s KEV catalog. Likely exploitation requires a user‑controlled input that is passed directly to the include/require path, such as a malformed query string or theme configuration option. Once triggered, the attacker can read arbitrary files or inject PHP code, enabling further compromise.

Generated by OpenCVE AI on April 29, 2026 at 13:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cerebrum theme to a version newer than 1.12, or remove the theme entirely if an update is not feasible.
  • If an immediate upgrade is impossible, disable the theme or replace it with a non‐vulnerable alternative while awaiting a patch.
  • Apply a patch that sanitises the filename before inclusion, ensuring only whitelisted paths are used or that the include/require call does not accept user‑supplied values.
  • Deploy a web application firewall that blocks known patterns for local file inclusion attempts.
  • Monitor site logs for unusual file inclusion activity and verify that the vulnerability has been fully mitigated.

Generated by OpenCVE AI on April 29, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes cerebrum
CPEs cpe:2.3:a:axiomthemes:cerebrum:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes cerebrum

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Cerebrum cerebrum allows PHP Local File Inclusion.This issue affects Cerebrum: from n/a through <= 1.12.
Title WordPress Cerebrum theme <= 1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Cerebrum
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:15:56.547Z

Reserved: 2025-09-06T04:44:31.841Z

Link: CVE-2025-58926

cve-icon Vulnrichment

Updated: 2025-12-18T18:45:29.209Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:15:59.870

Modified: 2026-01-20T15:17:10.810

Link: CVE-2025-58926

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses