Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Revolution revolution.This issue affects Revolution: from n/a through < 2.5.8.
Published: 2025-11-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Revolution WordPress theme contains a flaw that allows an attacker to control the filename passed to a PHP include or require statement. This improper input validation can lead to execution of arbitrary code on the web server, providing full compromise of the site. The weakness is classified as CWE‑98 – Improper Control of Filename for Include/Require Statement in PHP Program.

Affected Systems

All installations of the fuelthemes Revolution theme that are older than version 2.5.8 are affected. The vulnerability applies to every site running the theme from its earliest releases through 2.5.7, and the fix is included in 2.5.8 and later releases.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. The EPSS score of less than 1% suggests that exploitation is unlikely at the present time, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker would trigger the vulnerable include via normal web traffic by crafting a request that supplies a malicious filename parameter, thereby achieving remote code execution.

Generated by OpenCVE AI on April 30, 2026 at 05:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Revolution theme to version 2.5.8 or later to apply the vendor fix
  • If an update cannot be applied immediately, deactivate or remove the vulnerable theme to prevent the include path from being exercised
  • Ensure that the theme’s directory is not directly accessible via the web by applying proper file permissions or .htaccess restrictions
  • Validate and sanitize any file paths before inclusion within the theme to prevent uncontrolled file inclusion

Generated by OpenCVE AI on April 30, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 06 Nov 2025 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Thu, 06 Nov 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 06 Nov 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes Revolution revolution.This issue affects Revolution: from n/a through < 2.5.8.
Title WordPress Revolution theme < 2.5.8 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:00.783Z

Reserved: 2025-10-07T15:34:44.824Z

Link: CVE-2025-62066

cve-icon Vulnrichment

Updated: 2025-11-06T16:47:16.954Z

cve-icon NVD

Status : Deferred

Published: 2025-11-06T16:16:12.617

Modified: 2026-04-27T18:16:25.137

Link: CVE-2025-62066

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T05:15:28Z

Weaknesses