Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper validation of filenames used in include/require statements, enabling attackers to supply arbitrary file paths. This flaw can lead to reading or executing local files, exposing sensitive configuration data or allowing arbitrary code execution when the included file contains malicious content.

Affected Systems

WordPress sites that have the Giardino theme from axiomthemes installed in any version up to and including 1.1.10 are affected. The CVE explicitly states the range "n/a through <= 1.1.10".

Risk and Exploitability

The CVSS score of 8.1 indicates a high risk level. EPSS is less than 1%, indicating a very low probability of exploitation in the wild at this time, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector involves sending a crafted URL or form input that manipulates the include path, making this flaw exploitable from a web client if the theme processes untrusted input.

Generated by OpenCVE AI on April 30, 2026 at 04:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Giardino theme to version 1.1.11 or later where the update eliminates the unsanitized include.
  • Review and refactor the theme’s PHP code to validate or whitelist all filenames that are passed to include or require statements.
  • Configure the web server or PHP settings to restrict directory traversal and prevent reading from system directories (e.g., using 'open_basedir' or similar restrictions).

Generated by OpenCVE AI on April 30, 2026 at 04:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Axiomthemes
Axiomthemes giardino
CPEs cpe:2.3:a:axiomthemes:giardino:*:*:*:*:*:wordpress:*:*
Vendors & Products Axiomthemes
Axiomthemes giardino

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10.
Title WordPress Giardino theme <= 1.1.10 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Axiomthemes Giardino
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:53.825Z

Reserved: 2025-09-25T15:19:39.458Z

Link: CVE-2025-60067

cve-icon Vulnrichment

Updated: 2025-12-18T18:49:33.135Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:06.800

Modified: 2026-04-27T16:16:31.350

Link: CVE-2025-60067

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:00:14Z

Weaknesses