Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename in an include/require statement allows a local file inclusion vulnerability in the Axiom Themes Athos WordPress theme. Attackers can supply a crafted filename that is passed to PHP’s include/require function, potentially reading arbitrary files or executing attacker‑supplied code. The vulnerability is classified as CWE-98 and has a CVSS score of 8.1, indicating a high severity level.

Affected Systems

Axiom Themes Athos WordPress theme versions up through 1.9 are affected. This includes any installation that has not updated to a later release of the theme.

Risk and Exploitability

The likelihood of exploitation is low at present (EPSS < 1%), and the vulnerability is not listed in the CISA KEV catalog. However, the high CVSS score indicates that a successful exploit could lead to remote code execution or sensitive data disclosure. Likely attack vectors involve application inputs that determine the file path for inclusion, such as theme option fields or URL parameters that are not properly validated. The absence of authentication requirements in the description suggests that the vulnerability could be exploitable by unauthenticated users who can manipulate these inputs.

Generated by OpenCVE AI on April 29, 2026 at 22:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Athos theme to a version that contains the fix (recommended to use the latest release).
  • If an immediate update is not possible, temporarily deactivate the Athos theme or switch to an alternative theme to eliminate the vulnerable code path.
  • Review and modify the theme’s code to enforce strict path validation for any include/require operations, restricting them to whitelisted directories and preventing user‑controlled file names.

Generated by OpenCVE AI on April 29, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes athos
CPEs cpe:2.3:a:axiomthemes:athos:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes athos

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Athos athos allows PHP Local File Inclusion.This issue affects Athos: from n/a through <= 1.9.
Title WordPress Athos theme <= 1.9 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Athos
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.170Z

Reserved: 2025-09-06T04:44:54.905Z

Link: CVE-2025-58947

cve-icon Vulnrichment

Updated: 2025-12-18T15:09:37.076Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:02.487

Modified: 2026-04-27T20:16:21.850

Link: CVE-2025-58947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses