Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Greenify greenify allows PHP Local File Inclusion.This issue affects Greenify: from n/a through <= 2.2.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of filenames used in PHP include or require statements. An attacker who can influence the filename parameter may induce the application to include a local file, potentially revealing sensitive data or executing arbitrary code. The flaw can lead to information disclosure, code execution, or privilege escalation within the web server context.

Affected Systems

The issue affects the WordPress Greenify theme from its initial release up to and including version 2.2. Any site deploying Greenify 2.2 or earlier is potentially vulnerable. Sites using newer releases are not affected unless the fix was omitted.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity risk. The EPSS score of less than 1% suggests that, at the time of assessment, the likelihood of exploitation remains low, yet the vulnerability is still actionable. Because the flaw involves local file inclusion, an attacker could exploit it via crafted requests in the context of the website, making the risk real for exposed WordPress installations. The vulnerability is not listed in the CISA KEV catalog, but its high severity warrants prompt remediation.

Generated by OpenCVE AI on April 29, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Greenify theme to the latest available version that contains the LFI fix.
  • If an update is not available, disable the Greenify theme or uninstall it, and replace it with a maintained and secure alternative theme.
  • Apply strict input validation or harden the codebase by ensuring that any filenames used in include or require statements are validated against an allowed list or are located within a safe directory.

Generated by OpenCVE AI on April 29, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 17 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Designervily
Designervily greenify
Wordpress
Wordpress wordpress
Vendors & Products Designervily
Designervily greenify
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Greenify greenify allows PHP Local File Inclusion.This issue affects Greenify: from n/a through <= 2.2.
Title WordPress Greenify theme <= 2.2 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Designervily Greenify
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:51.219Z

Reserved: 2025-09-06T04:45:29.150Z

Link: CVE-2025-58994

cve-icon Vulnrichment

Updated: 2025-11-17T16:05:16.510Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:00.833

Modified: 2026-04-27T20:16:23.470

Link: CVE-2025-58994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T23:30:22Z

Weaknesses