Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
Published: 2025-12-09
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper control of filename in PHP include/require allows a local file inclusion vulnerability in the Digiqole theme. An attacker can supply a crafted filename parameter that bypasses normal validation and causes the server to read and execute files from the local filesystem, potentially leading to arbitrary code execution or information disclosure. This weakness reflects the CWE-98 vulnerability class.

Affected Systems

The affected product is the Digiqole WordPress theme supplied by trippleS. Versions prior to 2.2.7 are vulnerable; the problem exists from the initial release up through any version less than 2.2.7.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is less than 1 %, indicating a low probability of exploitation at this time, and the vulnerability is not listed in CISA’s KEV catalog. However, because the flaw relies on an included filename that can be influenced by a user-supplied parameter, an attacker with local or remote access could exploit the LFI to read or execute arbitrary files. The likely attack vector is through a crafted HTTP request targeting the vulnerable PHP script that performs the include/require operation.

Generated by OpenCVE AI on April 29, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Digiqole theme to version 2.2.7 or newer, which removes the vulnerable code path.
  • If an upgrade is temporarily infeasible, remove or comment out any code that accepts user input for include/require paths and ensure all filename parameters are hard‑coded or validated against a whitelist.
  • As a temporary defensive measure, configure PHP to disable allow_url_include and enable open_basedir restrictions to limit the directories that can be accessed by include/require statements.

Generated by OpenCVE AI on April 29, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 11 Dec 2025 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Digiqole digiqole allows PHP Local File Inclusion.This issue affects Digiqole: from n/a through < 2.2.7.
Title WordPress Digiqole theme < 2.2.7 - Local File Inclusion vulnerability
Weaknesses CWE-98
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:19.971Z

Reserved: 2025-12-09T12:21:06.412Z

Link: CVE-2025-67527

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:27.280

Modified: 2026-04-27T18:16:41.437

Link: CVE-2025-67527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:45:18Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')