Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.
Published: 2025-12-09
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper control of filename in the include/require statement of the Wilmër theme, allowing local file inclusion. An attacker who can supply a crafted filename can cause the application to read or execute arbitrary files on the server, potentially leading to remote code execution, data exposure, or defacement. This weakness matches CWE‑98, which concerns improper handling of file names in include mechanisms.

Affected Systems

The flaw exists in the Wilmër theme by Mikado‑Themes for all releases earlier than version 3.5 on WordPress installations. Sites using any pre‑3.5 theme version are vulnerable.

Risk and Exploitability

The CVSS score of 8.8 signals high severity, while the EPSS score of less than 1% indicates a low current likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, but attackers possessing local or remote file upload capabilities could leverage this flaw to gain arbitrary code execution or read sensitive files. Successful exploitation grants the attacker the ability to compromise the integrity, confidentiality, or availability of the affected WordPress instance.

Generated by OpenCVE AI on April 29, 2026 at 19:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Wilmër theme to version 3.5 or later
  • If an upgrade is not immediately possible, remove or deactivate the theme to prevent file inclusion
  • Apply server‑level restrictions on file inclusion by tightening PHP settings (e.g., disable allow_url_include, restrict include_path)

Generated by OpenCVE AI on April 29, 2026 at 19:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 29 Jan 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Qodeinteractive
Qodeinteractive wilmer
CPEs cpe:2.3:a:qodeinteractive:wilmer:*:*:*:*:*:wordpress:*:*
Vendors & Products Qodeinteractive
Qodeinteractive wilmer

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikado-themes
Mikado-themes wilmer
Wordpress
Wordpress wordpress
Vendors & Products Mikado-themes
Mikado-themes wilmer
Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wilmër wilmer allows PHP Local File Inclusion.This issue affects Wilmër: from n/a through < 3.5.
Title WordPress Wilmër theme < 3.5 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Mikado-themes Wilmer
Qodeinteractive Wilmer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.652Z

Reserved: 2025-12-09T12:20:54.762Z

Link: CVE-2025-67515

cve-icon Vulnrichment

Updated: 2025-12-11T19:01:35.974Z

cve-icon NVD

Status : Modified

Published: 2025-12-09T16:18:24.407

Modified: 2026-04-27T18:16:39.930

Link: CVE-2025-67515

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses