Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through < 9.6.1.
Published: 2025-12-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of the filename used in PHP include/require statements in the XStore WordPress theme allows attackers to read or execute arbitrary local files. This flaw is identified as CWE‑98 and carries a CVSS score of 7.5, indicating high severity. The vulnerability potentially enables remote code execution if critical files are included, or unauthorized disclosure of sensitive data such as configuration files.

Affected Systems

All installations of the 8theme XStore WordPress theme running any version before 9.6.1 are vulnerable. No specific vendor patch is listed in the data, so any pre‑9.6.1 deployment remains at risk until updated to the fixed release.

Risk and Exploitability

The EPSS score is below 1 %, suggesting that widespread exploitation is unlikely at the time of analysis and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is inferred to be a local or remote request that manipulates the filename parameter used in include/require calls; by supplying a crafted path, an attacker can trigger the theme to include unintended files. If successfully exploited, the attacker could read sensitive files or execute arbitrary PHP code, leading to full system compromise. The high CVSS score underscores the serious impact potential, even though the observed exploitation risk remains limited.

Generated by OpenCVE AI on April 29, 2026 at 18:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the XStore theme to version 9.6.1 or later to eliminate the vulnerability
  • Verify that the WordPress installation uses the latest theme files and that the theme directory has correct file permissions to prevent arbitrary file access
  • If a timely update is not possible, restrict the theme’s file inclusion logic by disabling the insecure include paths or by setting safe mode limits in PHP configuration

Generated by OpenCVE AI on April 29, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared 8theme
8theme xstore
Wordpress
Wordpress wordpress
Vendors & Products 8theme
8theme xstore
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through < 9.6.1.
Title WordPress XStore theme < 9.6.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

8theme Xstore
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:23:04.050Z

Reserved: 2025-10-29T03:06:57.131Z

Link: CVE-2025-64193

cve-icon Vulnrichment

Updated: 2025-12-18T19:24:34.372Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:10.630

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses