Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename for include/require statements in PHP, allowing Local File Inclusion. An attacker can supply a crafted file path that may be read or executed by the web application, leading to disclosure of sensitive data or execution of arbitrary code present on the server. The weakness is classed as CWE-98 and can compromise confidentiality and integrity of the system.

Affected Systems

The affected product is the WordPress Katelyn theme authored by Axiom Themes. Versions from the earliest available through 1.0.10 are vulnerable. All sites using these versions of the theme are at risk.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is considered high severity. The EPSS score of less than 1% indicates that exploitation probability is currently low, and it is not listed in the CISA KEV catalog. Likely exploitation requires the ability to influence the file path parameter used by the theme. The attack vector would involve passing a crafted argument to an unvalidated include call, potentially via a public URL or form field. Assuming the application runs as the web server user, an attacker could read or execute local files.

Generated by OpenCVE AI on April 29, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Katelyn theme to the latest released version that addresses this issue.
  • If an upgrade is not immediately possible, temporarily disable or deactivate the Katelyn theme to prevent the vulnerable code from executing.
  • As a short‑term mitigation, modify the web server or application configuration to restrict PHP from reading or executing sensitive files, for example by tightening filesystem permissions or using PHP's open_basedir setting.

Generated by OpenCVE AI on April 29, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes katelyn
CPEs cpe:2.3:a:axiomthemes:katelyn:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes katelyn

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Katelyn katelyn allows PHP Local File Inclusion.This issue affects Katelyn: from n/a through <= 1.0.10.
Title WordPress Katelyn theme <= 1.0.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Katelyn
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.825Z

Reserved: 2025-09-25T15:19:39.458Z

Link: CVE-2025-60066

cve-icon Vulnrichment

Updated: 2025-12-18T18:17:18.621Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:06.667

Modified: 2026-04-27T16:16:31.207

Link: CVE-2025-60066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses