Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0.
Published: 2025-10-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Kleo theme in versions prior to 5.5.0 contains an improper control of the filename used in PHP include or require statements. This defect allows an attacker who can influence the filename value to cause the application to include arbitrary files from the server’s filesystem. The attacker could read sensitive files such as configuration files or credentials, thereby compromising confidentiality. If the attacker can supply a file that contains executable PHP code, the flaw may also enable remote code execution; this possibility is inferred from the nature of the vulnerability.

Affected Systems

All WordPress sites that have installed the Kleo theme from SeventhQueen with a version earlier than 5.5.0 are affected. Versions 5.5.0 and later no longer contain the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium‑to‑high severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Attackers would most likely exploit it by crafting web requests that manipulate the theme’s file inclusion logic; any user who can influence the filename could trigger the flaw. The ease of exploitation and potential for confidentiality loss or remote code execution make immediate remediation advisable.

Generated by OpenCVE AI on April 29, 2026 at 20:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Kleo theme to version 5.5.0 or later.
  • Validate all file paths before including or requiring them, restricting access to a known whitelist of files.
  • Set the PHP configuration directive allow_url_include to Off to prevent remote file inclusion.

Generated by OpenCVE AI on April 29, 2026 at 20:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0.
Title WordPress Kleo theme < 5.5.0 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:31:10.075Z

Reserved: 2025-10-31T11:23:15.210Z

Link: CVE-2025-64363

cve-icon Vulnrichment

Updated: 2025-11-03T15:19:53.191Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T12:15:36.850

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64363

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:30:19Z

Weaknesses