Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The MinimogWP theme contains an improper control of filename in PHP include/require statements, enabling local file inclusion. An attacker who can influence the file path may read or execute arbitrary files on the server, potentially leading to data disclosure, unauthorized code execution, or full site compromise. The weakness is identified as CWE‑98, a classic input validation flaw that leverages PHP’s file inclusion semantics for exploitation.

Affected Systems

All installations of the MinimogWP WordPress theme from ThemeMove that use version 3.9.6 or earlier are affected, regardless of additional plugins or server configurations. The vulnerability applies to any WordPress instance hosting the affected theme.

Risk and Exploitability

With a CVSS score of 8.1, the issue is classified as high severity, while an EPSS score of less than 1% indicates a low current exploitation probability. The flaw is not listed in the CISA KEV catalog, suggesting no widespread exploitation has been reported. Attackers are likely to exploit the vulnerability by manipulating request parameters or template inputs that feed the insecure include/require logic, potentially granting them the ability to read sensitive files or execute code if the server environment permits.

Generated by OpenCVE AI on April 29, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MinimogWP theme to the latest release (3.9.7 or newer) to eliminate the vulnerable include logic.
  • If an immediate upgrade is not feasible, remove or disable the MinimogWP theme and restore a predecessor or alternative theme that does not rely on dynamic includes.
  • Apply a web application firewall or server configuration that blocks execution of PHP files in theme directories and restricts file paths used in include/require statements to known safe directories.

Generated by OpenCVE AI on April 29, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Thememove
Thememove minimogwp
CPEs cpe:2.3:a:thememove:minimogwp:*:*:*:*:*:wordpress:*:*
Vendors & Products Thememove
Thememove minimogwp

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.
Title WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thememove Minimogwp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.063Z

Reserved: 2025-09-25T15:19:48.980Z

Link: CVE-2025-60069

cve-icon Vulnrichment

Updated: 2025-12-18T18:26:56.399Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:07.063

Modified: 2026-04-27T16:16:31.487

Link: CVE-2025-60069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses