Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from improper control of the filename in an include/require statement within the Spock theme, allowing a local file inclusion (LFI). An attacker could supply a crafted path that tricks the theme into including arbitrary local files, resulting in disclosure of sensitive information or execution of malicious code if the included file contains attacker‑controlled content. This weakness can compromise confidentiality, integrity, and potentially availability of the affected WordPress installation.

Affected Systems

The affected product is the Spock theme released by axiomthemes for WordPress. Versions up to and including 1.17 are impacted. Any WordPress site that has installed this theme during that version range is vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score is below 1 %, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through the theme’s file inclusion routine, with an attacker needing the ability to influence the path argument—typically via a crafted URL or form input that the theme does not properly sanitize. If successful, the attacker can read or execute arbitrary files present on the server.

Generated by OpenCVE AI on April 29, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Spock theme to version 1.18 or later, which removes the vulnerable file inclusion logic
  • If an upgrade is not immediately possible, disable or remove the Spock theme from the WordPress installation to eliminate the attack surface
  • Apply a defensive coding change: ensure any include/require statements in the theme validate the path against a whitelist of allowed directories or use a constant base directory to prevent inclusion of arbitrary files
  • Perform a comprehensive scan of the WordPress site for other LFI or similar vulnerabilities and apply corresponding patches

Generated by OpenCVE AI on April 29, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes spock
CPEs cpe:2.3:a:axiomthemes:spock:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes spock

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Spock spock allows PHP Local File Inclusion.This issue affects Spock: from n/a through <= 1.17.
Title WordPress Spock theme <= 1.17 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Spock
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:50.385Z

Reserved: 2025-09-06T04:44:54.905Z

Link: CVE-2025-58949

cve-icon Vulnrichment

Updated: 2025-12-18T15:45:21.892Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:02.757

Modified: 2026-04-27T20:16:22.157

Link: CVE-2025-58949

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses