Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon allows PHP Local File Inclusion.This issue affects Saxon - Viral Content Blog & Magazine Marketing WordPress Theme: from n/a through <= 1.9.3.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from inadequate validation of a filename used in an include/require statement within the Saxon theme. An attacker controlling the filename can force the PHP interpreter to read or execute arbitrary files on the server. This could expose confidential data or allow the execution of malicious code, resulting in a compromise of confidentiality, integrity, and availability of the WordPress site. The CVSS score of 8.1 indicates a high‑severity threat.

Affected Systems

The affected product is the dedalx Saxon – Viral Content Blog & Magazine Marketing WordPress Theme, versions up to and including 1.9.. No other versions are listed as vulnerable.

Risk and Exploitability

Given the low EPSS score of less than 1 % and the absence of a listing in the CISA KEV catalog, the likelihood of observed exploitation is currently low, but the high CVSS score means that if an exploitation path is discovered, the risk would be significant. The attack vector is inferred to be Local File Inclusion, potentially exploitable through theme settings or URL parameters that influence the include target. Successful exploitation would require an attacker able to supply or influence a file path that is then included by the theme's PHP code.

Generated by OpenCVE AI on April 29, 2026 at 13:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Saxon WordPress theme to a version newer than 1.9.3 that has the include/require statement properly validated.
  • If an immediate update is not possible, modify the theme’s PHP files that perform include/require operations to enforce a whitelist of absolute paths or remove the ability to specify arbitrary file names.
  • Disable all theme options or custom code that permits user-specified file paths, and consider reverting to a default theme until the vulnerability is patched.

Generated by OpenCVE AI on April 29, 2026 at 13:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 07 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Dedalx
Dedalx saxon
Wordpress
Wordpress wordpress
Vendors & Products Dedalx
Dedalx saxon
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon allows PHP Local File Inclusion.This issue affects Saxon - Viral Content Blog & Magazine Marketing WordPress Theme: from n/a through <= 1.9.3.
Title WordPress Saxon - Viral Content Blog & Magazine Marketing WordPress Theme theme <= 1.9.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Dedalx Saxon
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:40:20.107Z

Reserved: 2025-09-25T15:28:34.982Z

Link: CVE-2025-60198

cve-icon Vulnrichment

Updated: 2025-11-06T17:44:58.250Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:05.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-60198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T14:00:12Z

Weaknesses