Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from improper validation of filenames used in PHP include/require statements within the Heart WordPress theme. An attacker who can manipulate the include path, likely through a crafted request to the theme, could trigger a local file inclusion that allows reading of arbitrary files or execution of malicious PHP code, thereby exposing sensitive data or enabling remote code execution.

Affected Systems

The Heart theme by axiomthemes for WordPress is affected. All releases from the initial build, with no minimum version specified, through version 1.8 are vulnerable. The only version information provided is the upper bound of 1.8; individual patch levels within that range are not documented.

Risk and Exploitability

The CVSS base score of 8.1 indicates high severity, while the EPSS score of less than 1 % suggests that few attacks are currently observed. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, it is inferred that an attacker would need the ability to influence the include path parameter, which typically requires some form of user input or configuration manipulation. The likely attack vector is local execution on the server, contingent on the theme processing directories that contain controlled filenames.

Generated by OpenCVE AI on April 29, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Heart theme to a version beyond 1.8 or apply the vendor's official patch
  • If upgrading is not possible immediately, disable or remove the theme from active use to eliminate the vulnerable code path
  • Restrict file permissions for the WordPress installation and ensure PHP includes only from trusted directories
  • Implement input validation to sanitize any filenames that may be passed to include/require functions

Generated by OpenCVE AI on April 29, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes heart
CPEs cpe:2.3:a:axiomthemes:heart:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes heart

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8.
Title WordPress Heart theme <= 1.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Heart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:16:15.243Z

Reserved: 2025-09-06T04:44:31.842Z

Link: CVE-2025-58928

cve-icon Vulnrichment

Updated: 2025-12-18T18:51:19.351Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:00.133

Modified: 2026-01-20T15:17:11.080

Link: CVE-2025-58928

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:00:06Z

Weaknesses