Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Manufactory theme includes PHP code that fails to validate filenames supplied to include/require statements, allowing local file inclusion. This flaw can enable an attacker to read sensitive files on the server or execute arbitrary PHP code if crafted input is processed, thereby compromising confidentiality and integrity of the site.

Affected Systems

AxiomThemes’ Manufactory WordPress theme, any installation using version 1.4 or earlier, applies to all affected builds from the earliest release through v1.4.

Risk and Exploitability

The CVSS score of 8.1 marks the vulnerability as high severity, yet the EPSS score of less than 1% indicates a very low probability of exploitation at present. It is not listed in the CISA KEV catalog, suggesting no known active exploitation. The likely attack vector is local file inclusion via the theme’s unvalidated include paths, requiring an attacker to leverage some form of input that changes the filename used by the theme. This underscores the need for prompt remediation to prevent potential data disclosure or code execution.

Generated by OpenCVE AI on April 29, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Manufactory theme to the latest release (v1.5 or newer) that removes the vulnerable include paths.
  • If an immediate upgrade is not possible, disable or patch the theme code that performs dynamic includes—either comment out the relevant sections or replace them with securely coded alternatives that only allow whitelisted file paths.
  • Configure PHP to set allow_url_include to Off and enable open_basedir to limit file inclusion to the webroot and approved directories, thereby mitigating the impact of any remaining LFI attempts.

Generated by OpenCVE AI on April 29, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes manufactory
CPEs cpe:2.3:a:axiomthemes:manufactory:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes manufactory

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.
Title WordPress Manufactory theme <= 1.4 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Manufactory
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.182Z

Reserved: 2025-09-06T04:44:54.905Z

Link: CVE-2025-58944

cve-icon Vulnrichment

Updated: 2025-12-18T15:40:05.260Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:02.093

Modified: 2026-04-27T20:16:21.433

Link: CVE-2025-58944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses