Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to control the filename used in a PHP include/require statement, permitting local file inclusion. The consequence is that sensitive files can be read or that arbitrary code may be executed if a malicious or attacker‑controlled file is loaded. The listed CWE is 98, indicating lack of proper validation of included file paths.

Affected Systems

AxiomThemes Prisma WordPress theme versions up to and including 1.10 are affected. The issue persists from the first available version through 1.10 and does not extend to any newer releases.

Risk and Exploitability

The CVSS score of 8.1 classifies the flaw as high severity, while the current EPSS score of less than 1% suggests that exploitation is unlikely at present. The vulnerability is not listed in CISA KEV. The likely attack vector is local file inclusion via crafted input to the theme, potentially triggered by a configured URL parameter or other exposed input point. Because the flaw involves including arbitrary local files, an attacker could read configuration files, passwords, or exploit server‑side script execution if the included file contains PHP code.

Generated by OpenCVE AI on April 29, 2026 at 22:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Prisma theme to version 1.11 or later when it becomes available.
  • If an update is not yet available, remove or disable any vulnerable include/require calls within the theme, or restrict the paths that can be included to a controlled whitelist.
  • Configure the web server so that PHP cannot be executed from directories that may be included by the theme and limit the permissions of the web‑process user so that included files cannot be read or executed.

Generated by OpenCVE AI on April 29, 2026 at 22:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:axiomthemes:prisma:*:*:*:*:*:wordpress:*:*

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes prisma
Wordpress
Wordpress wordpress
Vendors & Products Axiomthemes
Axiomthemes prisma
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.
Title WordPress Prisma theme <= 1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Prisma
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:49.952Z

Reserved: 2025-09-06T04:44:31.842Z

Link: CVE-2025-58932

cve-icon Vulnrichment

Updated: 2025-12-18T16:57:13.872Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:00.670

Modified: 2026-04-27T20:16:19.983

Link: CVE-2025-58932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:45:06Z

Weaknesses