Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Gig plugin for WordPress contains a Local File Inclusion flaw, identified as CWE-98, caused by insufficient validation of filenames passed to PHP include/require calls. An attacker can supply arbitrary file paths to the vulnerable endpoint, causing the theme to read or include files located on the server. In the worst case, if attacker-controlled writable files are used, remote code execution is possible. The impact ranges from disclosure of sensitive configuration files to full site compromise, affecting confidentiality, integrity, and availability.

Affected Systems

All deployments of Axiomthemes The Gig theme up to and including version 1.18.0 are affected; any WordPress site running this theme with those versions is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, while an EPSS score of <1% indicates that exploitation is currently rare but still possible. The vulnerability is publicly reachable by forging a specific HTTP request that steers the include path. Because the theme executes in the context of the WordPress installation, an attacker could read arbitrary files or inject malicious code, creating a critical entry point. The issue is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on April 30, 2026 at 04:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Axiomthemes The Gig theme to a version newer than 1.18.0 that contains the LFI fix.
  • If an upgrade is not immediately possible, disable the theme’s vulnerable include functionality or restrict access to the directory where the include file resides.
  • Disable allow_url_include in php.ini and validate all file paths before inclusion.
  • Implement a web application firewall rule that blocks attempts to manipulate file paths and other known LFI attack patterns.

Generated by OpenCVE AI on April 30, 2026 at 04:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes the Gig
CPEs cpe:2.3:a:axiomthemes:the_gig:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes the Gig

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0.
Title WordPress The Gig theme <= 1.18.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes The Gig
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.011Z

Reserved: 2025-09-06T04:44:48.015Z

Link: CVE-2025-58934

cve-icon Vulnrichment

Updated: 2025-12-18T18:18:14.870Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:00.940

Modified: 2026-04-27T20:16:20.243

Link: CVE-2025-58934

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses