Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Riode riode allows PHP Local File Inclusion.This issue affects Riode: from n/a through <= 1.6.23.
Published: 2025-12-18
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper control of the filename used in a PHP include/require statement within the don-themes Riode theme. An attacker can supply a crafted input that causes the theme to include an arbitrary local file, potentially exposing sensitive data such as configuration files, credentials, or source code, and in some cases may enable execution of malicious code if the attacker can manipulate included content. This flaw is commonly referred to as a PHP Local File Inclusion vulnerability and directly threatens the confidentiality and integrity of the WordPress installation.

Affected Systems

WordPress sites that employ the Riode theme from don-themes. All releases of the theme through version 1.6.23 are affected, including the initial release (from n/a) up to and including 1.6.23.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation at the time of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply a crafted request that causes the theme to resolve a local file path, so a local directory traversal or the supply of a malicious file via an upload mechanism could be the likely attack vector. The flaw has a wide potential impact because any file on the server may be accessed, which could lead to data leakage or compromise of the entire WordPress site.

Generated by OpenCVE AI on April 29, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Riode theme to the latest version (1.6.24 or newer) where the file inclusion paths are properly validated.
  • If an immediate upgrade is not possible, disable or uninstall the Riode theme until a patch is available and switch to a trusted alternative theme.
  • Apply a file path whitelist or use PHP’s realpath checks to ensure that only files from a designated safe directory can be included, thereby preventing arbitrary file inclusion.

Generated by OpenCVE AI on April 29, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Riode | Multi-Purpose WooCommerce riode allows PHP Local File Inclusion.This issue affects Riode | Multi-Purpose WooCommerce: from n/a through <= 1.6.23. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Riode riode allows PHP Local File Inclusion.This issue affects Riode: from n/a through <= 1.6.23.

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Sun, 21 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Don-themes
Don-themes riode
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Don-themes
Don-themes riode
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in don-themes Riode | Multi-Purpose WooCommerce riode allows PHP Local File Inclusion.This issue affects Riode | Multi-Purpose WooCommerce: from n/a through <= 1.6.23.
Title WordPress Riode | Multi-Purpose WooCommerce theme <= 1.6.23 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Don-themes Riode
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:54.105Z

Reserved: 2025-09-25T15:19:48.980Z

Link: CVE-2025-60071

cve-icon Vulnrichment

Updated: 2025-12-18T18:57:29.624Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:07.410

Modified: 2026-04-27T16:16:31.627

Link: CVE-2025-60071

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T22:30:21Z

Weaknesses