Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue allows the Axiomthemes Vocal theme to include arbitrary local files through an unsanitized filename supplied to a PHP include or require statement. The flaw can lead to disclosure of sensitive data contained on the web server or, if the included file contains executable code, remote code execution. The weakness is captured by CWE‑98, making it a classic local file inclusion vulnerability.

Affected Systems

The Vulnerability affects the WordPress Vocal theme from Axiomthemes, specifically all releases up to and including version 1.12. No later version is known to be vulnerable.

Risk and Exploitability

The CVSS v3.1 score is 8.1, indicating high severity. The EPSS score is < 1 %, which suggests that, as of the data, exploit activity is expected to be very low, and the vulnerability is not catalogued in the CISA KEV list. Nevertheless, because the flaw is local file inclusion, an attacker with any ability to influence the request path to the site—such as a public web interface—could potentially execute the exploit. The risk is mitigated only by limiting the vulnerability’s exposure, but the conservative assessment still recommends urgent remediation.

Generated by OpenCVE AI on April 29, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Vocal theme to a release newer than 1.12, which removes the insecure include handling.
  • If an upgrade is not yet possible, disable PHP's allow_url_fopen and set open_basedir so the theme cannot access files outside its own directory, thereby reducing the attack surface.
  • In the meantime, review the theme’s code to ensure that all file‑path arguments passed to include/require are properly validated and sanitized, preventing arbitrary path traversal.

Generated by OpenCVE AI on April 29, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes vocal
CPEs cpe:2.3:a:axiomthemes:vocal:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes vocal

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Vocal vocal allows PHP Local File Inclusion.This issue affects Vocal: from n/a through <= 1.12.
Title WordPress Vocal theme <= 1.12 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Vocal
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.180Z

Reserved: 2025-09-06T04:44:54.905Z

Link: CVE-2025-58946

cve-icon Vulnrichment

Updated: 2025-12-18T15:17:20.990Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:02.350

Modified: 2026-04-27T20:16:21.700

Link: CVE-2025-58946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses