Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement within PHP, classifying it as a Local File Inclusion flaw. An attacker who can influence the file path may dereference arbitrary server files, potentially revealing sensitive configuration or content, and in some cases could trigger execution of PHP code. The weakness is a CWE‑98 flaw in input handling for file operations.

Affected Systems

WordPress sites that have installed AncoraThemes Fabrica theme versions up through 1.8.1 are affected. Upgrading beyond 1.8.1 removes the flaw; earlier or older, including any 1.8.1 or older build, remains vulnerable. The issue is present in the theme’s core files responsible for rendering content, which can be triggered via exposed or unvalidated request parameters.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity while the EPSS score of less than 1% suggests low current exploitation probability, though this could rise if the vulnerability is actively leveraged online. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that attackers could manipulate the file path supplied through the website’s query string or form inputs, leading to local file disclosure or executable code injection, depending on the server context and permissions.

Generated by OpenCVE AI on April 30, 2026 at 04:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fabrica theme to version 1.9 or later, which contains the fix for the improper filename validation
  • If an upgrade is not immediately possible, restrict file system permissions so that the web process cannot read arbitrary files, and remove any ``allow_url_include`` settings
  • Implement input validation or a whitelist for include paths in the theme’s PHP code, ensuring that only expected, safe file names are processed

Generated by OpenCVE AI on April 30, 2026 at 04:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1.
Title WordPress Fabrica theme <= 1.8.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.778Z

Reserved: 2025-09-25T15:19:32.566Z

Link: CVE-2025-60055

cve-icon Vulnrichment

Updated: 2025-12-18T14:54:45.326Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:05.250

Modified: 2026-04-27T18:16:23.127

Link: CVE-2025-60055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses