Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.This issue affects Academist: from n/a through < 1.3.
Published: 2025-11-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filenames supplied to PHP include/require statements in the Academist WordPress theme. This flaw allows an attacker to specify arbitrary file paths, potentially leading to the reading or execution of unintended files, thereby compromising confidentiality or integrity and enabling remote code execution.

Affected Systems

The affected product is the Elated‐Themes Academist theme for WordPress, versions earlier than 1.3. No specific version numbers are listed, but all releases identified as < 1.3 are vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity level. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a web‑based input that influences the include/require function, such as a crafted URL or form parameter. An attacker could supply a path to sensitive files or inject a PHP file to be included, potentially achieving remote code execution if the included file is processed by the server.

Generated by OpenCVE AI on April 29, 2026 at 20:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Academist theme to version 1.3 or later, which contains the fix for the file inclusion issue.
  • If an upgrade is not immediately possible, apply a temporary patch by modifying the theme’s PHP files to validate and sanitize any parameters used in include/require calls, ensuring only permitted paths are allowed.
  • Configure the WordPress environment to set 'allow_url_include' to Off and use directory restrictions so that only local file paths can be included, reducing the risk of remote file inclusion attacks.

Generated by OpenCVE AI on April 29, 2026 at 20:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Elated-themes
Elated-themes academist
Wordpress
Wordpress wordpress
Vendors & Products Elated-themes
Elated-themes academist
Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Academist academist.This issue affects Academist: from n/a through < 1.3.
Title WordPress Academist theme < 1.3 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Elated-themes Academist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:00.193Z

Reserved: 2025-10-07T15:34:37.452Z

Link: CVE-2025-62055

cve-icon Vulnrichment

Updated: 2025-11-06T17:57:53.688Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:11.880

Modified: 2026-04-27T18:16:24.830

Link: CVE-2025-62055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:15:19Z

Weaknesses