Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.6.8.
Published: 2025-09-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require in PenciDesign Soledad, allowing attackers to craft a path that resolves to an arbitrary local file. Because the theme performs a PHP include with insufficient validation, an attacker could read sensitive files such as configuration or password files, or potentially execute code if a writable file is included. The weakness is classified as CWE‑98.

Affected Systems

This issue affects the WordPress Soledad theme by PenciDesign version 8.6.8 and earlier. Sites that are running any of those versions of the theme are vulnerable; no other products are impacted.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity and the EPSS score of less than 1% suggests a low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but because the flaw permits local file inclusion potentially from a remote crafted request, it could be abused by an attacker with network access to the WordPress administration or front‑end. The attack vector is inferred to be remote through a crafted URL if the theme’s include is triggered by a request parameter.

Generated by OpenCVE AI on April 30, 2026 at 00:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Soledad theme to version 8.6.9 or later, which eliminates the insecure include logic.
  • If an update is not immediately possible, disable the vulnerable file inclusion by editing theme files to remove or replace the parameterized include with a hard‑coded safe path.
  • Ensure WordPress and the web server file permissions deny read access to sensitive files such as wp-config.php, and consider restricting the web root so that critical files are not accessible by the web server.

Generated by OpenCVE AI on April 30, 2026 at 00:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30463 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion. This issue affects Soledad: from n/a through 8.6.8.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion. This issue affects Soledad: from n/a through 8.6.8. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.6.8.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Pencidesign
Pencidesign soledad
Wordpress
Wordpress wordpress
Vendors & Products Pencidesign
Pencidesign soledad
Wordpress
Wordpress wordpress

Tue, 23 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 22 Sep 2025 18:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad allows PHP Local File Inclusion. This issue affects Soledad: from n/a through 8.6.8.
Title WordPress Soledad Theme <= 8.6.8 - Local File Inclusion Vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pencidesign Soledad
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.031Z

Reserved: 2025-09-17T18:01:11.732Z

Link: CVE-2025-59588

cve-icon Vulnrichment

Updated: 2025-09-23T13:56:47.283Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:27.287

Modified: 2026-04-23T15:34:06.300

Link: CVE-2025-59588

cve-icon Redhat

Severity : Important

Publid Date: 2025-09-22T18:25:48Z

Links: CVE-2025-59588 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:45:24Z

Weaknesses