Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through < 6.7.5.
Published: 2025-10-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in a PHP include/require statement within the consulting theme. This permits a local file inclusion that, if exploited, can read arbitrary files on the server or execute attacker‑supplied code. The weakness is categorized as CWE‑98. The impact is the potential compromise of confidentiality, integrity, and availability of the WordPress site. Based on the description, the likely attack vector involves a crafted request that manipulates the include path without proper validation.

Affected Systems

WordPress sites that use the StylemixThemes Consulting theme with any version lower than 6.7.5 or without a patch. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of the flaw. The EPSS score of <1% suggests a low exploitation probability at the moment, and the vulnerability is not listed in the CISA KEV catalog. However, local file inclusion can be a stepping stone to remote code execution if the attacker can upload or otherwise place malicious files in accessible directories. Because the vulnerability is in a theme that can be updated, the safest path is to acquire the patched version before any exploitation attempts surface.

Generated by OpenCVE AI on April 29, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the StylemixThemes Consulting theme to version 6.7.5 or later. This is the official CNA solution.
  • If upgrading is not immediately possible, remove or deactivate the consulting theme to eliminate the vulnerable code from the site.
  • Configure the web server’s file permissions to restrict the PHP include path to a safe directory and deny access to sensitive files.

Generated by OpenCVE AI on April 29, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes consulting
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes consulting
Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 31 Oct 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Consulting consulting allows PHP Local File Inclusion.This issue affects Consulting: from n/a through < 6.7.5.
Title WordPress Consulting theme < 6.7.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Stylemixthemes Consulting
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:14.316Z

Reserved: 2025-10-31T11:23:06.890Z

Link: CVE-2025-64359

cve-icon Vulnrichment

Updated: 2025-10-31T17:57:57.320Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T12:15:36.307

Modified: 2026-04-27T16:16:41.080

Link: CVE-2025-64359

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:30:19Z

Weaknesses