Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Panda WordPress theme, released by AxiomThemes, contains an improper control of the filename passed to PHP's include/require statements, identified as CWE‑98. This flaw allows the theme to load and execute files from arbitrary locations on the server, which can result in reading sensitive files or executing malicious code within the WordPress environment.

Affected Systems

The vulnerability affects all releases of the Panda theme from the first available version (no lower bound specified) through version 1.21. Any WordPress site that has the Panda theme installed in one of those releases is susceptible.

Risk and Exploitability

The CVSS score of 8.1 indicates a high‑severity issue. The EPSS score of less than 1 % suggests that exploitation events are unlikely at present, and the vulnerability has not yet been reported in the CISA KEV catalog. Although the attack vector is not disclosed in the description, LFI vulnerabilities typically rely on an attacker supplying a crafted file path to an include or require statement.

Generated by OpenCVE AI on April 30, 2026 at 14:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Panda theme to a release newer than 1.21 (for example, 1.22) to remove the improper filename handling.
  • If an upgrade is not immediately possible, disable any file inclusion functionality that uses unvalidated paths within the theme.
  • Restrict file system permissions for the Panda theme directories to read-only for the web server user, thereby limiting the scope of any remaining LFI payloads.

Generated by OpenCVE AI on April 30, 2026 at 14:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes panda
CPEs cpe:2.3:a:axiomthemes:panda:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes panda

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Panda panda allows PHP Local File Inclusion.This issue affects Panda: from n/a through <= 1.21.
Title WordPress Panda theme <= 1.21 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Panda
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.806Z

Reserved: 2025-09-25T15:19:32.566Z

Link: CVE-2025-60050

cve-icon Vulnrichment

Updated: 2025-12-18T15:04:22.601Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:04.613

Modified: 2026-04-27T16:16:30.283

Link: CVE-2025-60050

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:30:06Z

Weaknesses