Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Karzo karzo allows PHP Local File Inclusion.This issue affects Karzo: from n/a through < 2.6.
Published: 2025-10-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Karzo theme contains an improper control of filenames used in PHP include/require statements, permitting an attacker to trigger local file inclusion (LFI). If successfully exploited, the attacker can read arbitrary files from the WordPress installation and potentially execute arbitrary PHP code, leading to a compromise of the site’s confidentiality, integrity, or availability.

Affected Systems

The vulnerability is present in all versions of the designervily Karzo WordPress theme up to, but not including, 2.6. Any WordPress site that has installed the Karzo theme in the affected version range is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates a high impact vulnerability, and the EPSS score of <1% suggests a low current exploitation probability, although the risk remains significant. The vulnerability is not listed in the CISA KEV catalog. Exploitation typically occurs when an attacker crafts a request that forces the theme to include an arbitrary file path, allowing local filesystem access. No specific prerequisites are noted beyond the presence of the vulnerable theme; the attack surface is likely exposed via publicly accessible WordPress URLs that trigger the inclusion logic.

Generated by OpenCVE AI on April 29, 2026 at 14:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Karzo theme version 2.6 or newer, which removes the insecure include logic.
  • If upgrading is not immediately possible, disable or delete the Karzo theme from the WordPress installation to eliminate the attack vector.
  • Implement server‑side file permission restrictions and harden the PHP environment to prevent arbitrary file access, ensuring that include paths are strictly validated and non‑exposed.

Generated by OpenCVE AI on April 29, 2026 at 14:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Karzo karzo allows PHP Local File Inclusion.This issue affects Karzo: from n/a through < 2.6.
Title WordPress Karzo theme < 2.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:16:24.317Z

Reserved: 2025-09-06T04:45:02.777Z

Link: CVE-2025-58955

cve-icon Vulnrichment

Updated: 2025-10-22T18:17:52.755Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:52.287

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-58955

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:30:13Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')