Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Xcare xcare allows PHP Local File Inclusion.This issue affects Xcare: from n/a through < 6.5.
Published: 2025-10-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filename for the include/require statement in the Xcare theme’s PHP code allows an attacker to perform local file inclusion, potentially reading sensitive files or executing arbitrary code. This weakness corresponds to CWE‑98 and can compromise confidentiality, integrity, and availability of the WordPress site.

Affected Systems

The Xcare theme from Designervily is affected. All releases prior to version 6.5 are vulnerable; users running any older version should plan to upgrade.

Risk and Exploitability

With a CVSS score of 8.1 the vulnerability is rated high severity, while the EPSS score of less than 1 % indicates a low current exploitation probability but not zero. The issue is not in the CISA KEV catalog. The likely attack vector involves the theme’s file inclusion mechanisms, which an attacker could exploit through crafted requests or by manipulating theme files, potentially leading to file disclosure or code execution if writable files are included.

Generated by OpenCVE AI on April 29, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Xcare theme to version 6.5 or newer to remove the vulnerable file inclusion mechanism.
  • If an upgrade is not feasible immediately, disable any theme options that allow arbitrary file inclusion and remove any custom code that passes user input to include or require statements.
  • Apply PHP hardening measures such as disabling allow_url_include, setting open_basedir to restrict file access, and configuring the web server to deny reads of sensitive files like /etc/passwd and wp-config.php.

Generated by OpenCVE AI on April 29, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in designervily Xcare xcare allows PHP Local File Inclusion.This issue affects Xcare: from n/a through < 6.5.
Title WordPress Xcare theme < 6.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:19:30.913Z

Reserved: 2025-09-17T18:00:39.585Z

Link: CVE-2025-59550

cve-icon Vulnrichment

Updated: 2025-10-23T16:08:27.923Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:53.850

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-59550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:30:13Z

Weaknesses