Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion.This issue affects Eduma: from n/a through <= 5.7.6.
Published: 2025-10-29
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filenames for include/require in the Eduma theme allows a local file inclusion vulnerability. The flaw permits attackers to supply arbitrary file paths to the include mechanism, potentially reading sensitive configuration files or, if a PHP file is successfully included, executing arbitrary code. This weakness is captured by CWE‑98 and can lead to information disclosure or remote code execution, compromising the confidentiality and integrity of the affected WordPress installation.

Affected Systems

The affected product is the ThimPress Eduma WordPress theme. Versions from the earliest releases through 5.7.6 are vulnerable. Administrators should verify that their site is using a version older than 5.7.6 and plan to upgrade if applicable.

Risk and Exploitability

The CVSS score of 7.5 classifies this issue as high severity. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. However, the flaw can be triggered by a public web request that manipulates the filename parameter, offering an unauthenticated route to read local files or execute code. Attackers would need only HTTP access to reach the vulnerable include path. While the odds of exploitation are low, the potential impact warrants prompt remediation.

Generated by OpenCVE AI on April 29, 2026 at 16:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Eduma theme to version 5.7.7 or later, which removes the vulnerable include logic.
  • If an upgrade is not immediately possible, edit the theme’s templates to remove the unsanitized include statements or filter the filename input strictly against a whitelist of allowable paths.
  • Implement a web application firewall or security plugin that blocks suspicious include parameters and restricts file permissions to prevent execution via local file inclusion.

Generated by OpenCVE AI on April 29, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Fri, 31 Oct 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 30 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Thimpress
Thimpress eduma
Wordpress
Wordpress wordpress
Vendors & Products Thimpress
Thimpress eduma
Wordpress
Wordpress wordpress

Wed, 29 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 29 Oct 2025 09:00:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion.This issue affects Eduma: from n/a through <= 5.7.6.
Title WordPress Eduma theme <= 5.7.6 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Thimpress Eduma
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:23:21.298Z

Reserved: 2025-10-29T03:06:57.131Z

Link: CVE-2025-64195

cve-icon Vulnrichment

Updated: 2025-10-29T13:38:45.866Z

cve-icon NVD

Status : Deferred

Published: 2025-10-29T09:15:38.793

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T16:30:15Z

Weaknesses