Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Masterstudy masterstudy allows PHP Local File Inclusion.This issue affects Masterstudy: from n/a through < 4.8.126.
Published: 2025-10-31
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of the filename used in an include/require statement in PHP. It allows an attacker to force the application to include a local file, which can be crafted to execute arbitrary PHP code. This flaw is identified as a PHP Remote File Inclusion, mapping to CWE-98, and it can compromise the confidentiality, integrity, and availability of the affected WordPress site.

Affected Systems

StylemixThemes Masterstudy theme is impacted. All installations using versions prior to 4.8.126—including all releases preceding that version—are vulnerable. The theme is a WordPress plugin that processes user input to build include paths, enabling the exploitation when a user supplies a specially crafted parameter.

Risk and Exploitability

The CVSS score is 7.5, indicating high severity. The EPSS score is less than 1%, indicating a low probability that the vulnerability is being actively exploited at this time, and it is not listed in the CISA KEV catalog. The likely attack vector is a crafted request that causes the theme to include a malicious local file, taking advantage of an unrestricted include path. Successful exploitation could result in the execution of arbitrary PHP code on the server.

Generated by OpenCVE AI on April 29, 2026 at 12:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Masterstudy theme to version 4.8.126 or newer, following the vendor’s release notes and upgrade path
  • Restrict the WordPress installation’s include path by configuring the theme to use only safe, absolute paths and by disabling any ability for external input to influence file inclusion
  • Ensure that file permissions on the server limit write and execute access to trusted accounts only, remove unused themes, and enforce a web application firewall to block suspicious inclusion attempts

Generated by OpenCVE AI on April 29, 2026 at 12:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Mon, 03 Nov 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 03 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress
Vendors & Products Stylemixthemes
Stylemixthemes masterstudy Lms
Wordpress
Wordpress wordpress

Fri, 31 Oct 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Masterstudy masterstudy allows PHP Local File Inclusion.This issue affects Masterstudy: from n/a through < 4.8.126.
Title WordPress Masterstudy theme < 4.8.126 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Stylemixthemes Masterstudy Lms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:31:19.613Z

Reserved: 2025-10-31T11:23:15.210Z

Link: CVE-2025-64364

cve-icon Vulnrichment

Updated: 2025-11-03T15:18:46.895Z

cve-icon NVD

Status : Deferred

Published: 2025-10-31T12:15:36.983

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T12:45:11Z

Weaknesses